bmp: backport CVE-2019-7635 (SDL bug 4498) fix from main 2.0 branch: SDL-1.2
authorOzkan Sezer <sezeroz@gmail.com>
Thu, 11 Jul 2019 00:55:02 +0300
branchSDL-1.2
changeset 680a3a7cac00d5f
parent 679 8d6699dd9d74
child 681 9ccaa3a0dfb6
bmp: backport CVE-2019-7635 (SDL bug 4498) fix from main 2.0 branch:
mainstream commit:
https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49
IMG_bmp.c
     1.1 --- a/IMG_bmp.c	Wed Jul 10 23:51:28 2019 +0300
     1.2 +++ b/IMG_bmp.c	Thu Jul 11 00:55:02 2019 +0300
     1.3 @@ -292,6 +292,14 @@
     1.4  			ExpandBMP = biBitCount;
     1.5  			biBitCount = 8;
     1.6  			break;
     1.7 +		case 2:
     1.8 +		case 3:
     1.9 +		case 5:
    1.10 +		case 6:
    1.11 +		case 7:
    1.12 +			IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
    1.13 +			was_error = SDL_TRUE;
    1.14 +			goto done;
    1.15  		default:
    1.16  			ExpandBMP = 0;
    1.17  			break;
    1.18 @@ -444,7 +452,12 @@
    1.19  						goto done;
    1.20  					}
    1.21  				}
    1.22 -				*(bits+i) = (pixel>>shift);
    1.23 +				bits[i] = (pixel >> shift);
    1.24 +				if (bits[i] >= biClrUsed) {
    1.25 +					IMG_SetError("A BMP image contains a pixel with a color out of the palette");
    1.26 +					was_error = SDL_TRUE;
    1.27 +					goto done;
    1.28 +				}
    1.29  				pixel <<= ExpandBMP;
    1.30  			} }
    1.31  			break;
    1.32 @@ -456,6 +469,15 @@
    1.33  				was_error = SDL_TRUE;
    1.34  				goto done;
    1.35  			}
    1.36 +			if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
    1.37 +				for (i = 0; i < surface->w; ++i) {
    1.38 +					if (bits[i] >= biClrUsed) {
    1.39 +						IMG_SetError("A BMP image contains a pixel with a color out of the palette");
    1.40 +						was_error = SDL_TRUE;
    1.41 +						goto done;
    1.42 +					}
    1.43 +				}
    1.44 +			}
    1.45  #if SDL_BYTEORDER == SDL_BIG_ENDIAN
    1.46  			/* Byte-swap the pixels if needed. Note that the 24bpp
    1.47  			   case has already been taken care of above. */