Fixed TALOS-2019-0843 - XPM image color code code execution vulnerability
authorSam Lantinga <slouken@libsdl.org>
Mon, 10 Jun 2019 23:50:21 -0700
changeset 65795fc7da55247
parent 656 b1a80aec2b10
child 658 26061e601c81
Fixed TALOS-2019-0843 - XPM image color code code execution vulnerability

By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.
IMG_xpm.c
     1.1 --- a/IMG_xpm.c	Mon Jun 10 17:24:08 2019 -0700
     1.2 +++ b/IMG_xpm.c	Mon Jun 10 23:50:21 2019 -0700
     1.3 @@ -1026,6 +1026,11 @@
     1.4          goto done;
     1.5      }
     1.6  
     1.7 +    /* Check for allocation overflow */
     1.8 +    if ((size_t)(ncolors * cpp)/cpp != ncolors) {
     1.9 +        error = "Invalid color specification";
    1.10 +        goto done;
    1.11 +    }
    1.12      keystrings = (char *)SDL_malloc(ncolors * cpp);
    1.13      if (!keystrings) {
    1.14          error = "Out of memory";
    1.15 @@ -1093,8 +1098,9 @@
    1.16                  c->g = (Uint8)(rgb >> 8);
    1.17                  c->b = (Uint8)(rgb);
    1.18                  pixel = index;
    1.19 -            } else
    1.20 +            } else {
    1.21                  pixel = rgb;
    1.22 +            }
    1.23              add_colorhash(colors, nextkey, cpp, pixel);
    1.24              nextkey += cpp;
    1.25              if (rgb == 0xffffffff)