BUGS.txt
author Sam Lantinga <slouken@libsdl.org>
Mon, 18 Feb 2019 07:50:33 -0800
changeset 12612 07c39cbbeacf
parent 10952 fabcc99bb455
permissions -rw-r--r--
Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c

Petr Pisar

The reproducer has these data in BITMAPINFOHEADER:

biSize = 40
biBitCount = 8
biClrUsed = 131075

SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
     1 
     2 Bugs are now managed in the SDL bug tracker, here:
     3 
     4     https://bugzilla.libsdl.org/
     5 
     6 You may report bugs there, and search to see if a given issue has already
     7  been reported, discussed, and maybe even fixed.
     8 
     9 
    10 You may also find help at the SDL forums/mailing list:
    11 
    12     https://discourse.libsdl.org/
    13 
    14 Bug reports are welcome here, but we really appreciate if you use Bugzilla, as
    15  bugs discussed on the mailing list may be forgotten or missed.
    16