src/events/SDL_displayevents.c
author Sam Lantinga <slouken@libsdl.org>
Mon, 18 Feb 2019 07:50:33 -0800
changeset 12612 07c39cbbeacf
parent 12503 806492103856
permissions -rw-r--r--
Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c

Petr Pisar

The reproducer has these data in BITMAPINFOHEADER:

biSize = 40
biBitCount = 8
biClrUsed = 131075

SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
slouken@12143
     1
/*
slouken@12143
     2
  Simple DirectMedia Layer
slouken@12503
     3
  Copyright (C) 1997-2019 Sam Lantinga <slouken@libsdl.org>
slouken@12143
     4
slouken@12143
     5
  This software is provided 'as-is', without any express or implied
slouken@12143
     6
  warranty.  In no event will the authors be held liable for any damages
slouken@12143
     7
  arising from the use of this software.
slouken@12143
     8
slouken@12143
     9
  Permission is granted to anyone to use this software for any purpose,
slouken@12143
    10
  including commercial applications, and to alter it and redistribute it
slouken@12143
    11
  freely, subject to the following restrictions:
slouken@12143
    12
slouken@12143
    13
  1. The origin of this software must not be misrepresented; you must not
slouken@12143
    14
     claim that you wrote the original software. If you use this software
slouken@12143
    15
     in a product, an acknowledgment in the product documentation would be
slouken@12143
    16
     appreciated but is not required.
slouken@12143
    17
  2. Altered source versions must be plainly marked as such, and must not be
slouken@12143
    18
     misrepresented as being the original software.
slouken@12143
    19
  3. This notice may not be removed or altered from any source distribution.
slouken@12143
    20
*/
slouken@12143
    21
#include "../SDL_internal.h"
slouken@12143
    22
slouken@12143
    23
/* Display event handling code for SDL */
slouken@12143
    24
slouken@12143
    25
#include "SDL_events.h"
slouken@12143
    26
#include "SDL_events_c.h"
slouken@12143
    27
slouken@12143
    28
slouken@12143
    29
int
slouken@12143
    30
SDL_SendDisplayEvent(SDL_VideoDisplay *display, Uint8 displayevent, int data1)
slouken@12143
    31
{
slouken@12143
    32
    int posted;
slouken@12143
    33
slouken@12143
    34
    if (!display) {
slouken@12143
    35
        return 0;
slouken@12143
    36
    }
slouken@12143
    37
    switch (displayevent) {
slouken@12143
    38
    case SDL_DISPLAYEVENT_ORIENTATION:
slouken@12143
    39
        if (data1 == SDL_ORIENTATION_UNKNOWN || data1 == display->orientation) {
slouken@12143
    40
            return 0;
slouken@12143
    41
        }
slouken@12143
    42
        display->orientation = (SDL_DisplayOrientation)data1;
slouken@12143
    43
        break;
slouken@12143
    44
    }
slouken@12143
    45
slouken@12143
    46
    /* Post the event, if desired */
slouken@12143
    47
    posted = 0;
slouken@12143
    48
    if (SDL_GetEventState(SDL_DISPLAYEVENT) == SDL_ENABLE) {
slouken@12143
    49
        SDL_Event event;
slouken@12143
    50
        event.type = SDL_DISPLAYEVENT;
slouken@12143
    51
        event.display.event = displayevent;
slouken@12143
    52
        event.display.display = SDL_GetIndexOfDisplay(display);
slouken@12143
    53
        event.display.data1 = data1;
slouken@12143
    54
        posted = (SDL_PushEvent(&event) > 0);
slouken@12143
    55
    }
slouken@12143
    56
slouken@12143
    57
    return (posted);
slouken@12143
    58
}
slouken@12143
    59
slouken@12143
    60
/* vi: set ts=4 sw=4 expandtab: */