author Sam Lantinga <>
Mon, 18 Feb 2019 07:50:33 -0800
changeset 12612 07c39cbbeacf
parent 12503 806492103856
permissions -rw-r--r--
Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c

Petr Pisar

The reproducer has these data in BITMAPINFOHEADER:

biSize = 40
biBitCount = 8
biClrUsed = 131075

SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
     1 /*
     2   Simple DirectMedia Layer
     3   Copyright (C) 1997-2019 Sam Lantinga <>
     5   This software is provided 'as-is', without any express or implied
     6   warranty.  In no event will the authors be held liable for any damages
     7   arising from the use of this software.
     9   Permission is granted to anyone to use this software for any purpose,
    10   including commercial applications, and to alter it and redistribute it
    11   freely, subject to the following restrictions:
    13   1. The origin of this software must not be misrepresented; you must not
    14      claim that you wrote the original software. If you use this software
    15      in a product, an acknowledgment in the product documentation would be
    16      appreciated but is not required.
    17   2. Altered source versions must be plainly marked as such, and must not be
    18      misrepresented as being the original software.
    19   3. This notice may not be removed or altered from any source distribution.
    20 */
    21 #ifndef SDL_dataqueue_h_
    22 #define SDL_dataqueue_h_
    24 /* this is not (currently) a public API. But maybe it should be! */
    26 struct SDL_DataQueue;
    27 typedef struct SDL_DataQueue SDL_DataQueue;
    29 SDL_DataQueue *SDL_NewDataQueue(const size_t packetlen, const size_t initialslack);
    30 void SDL_FreeDataQueue(SDL_DataQueue *queue);
    31 void SDL_ClearDataQueue(SDL_DataQueue *queue, const size_t slack);
    32 int SDL_WriteToDataQueue(SDL_DataQueue *queue, const void *data, const size_t len);
    33 size_t SDL_ReadFromDataQueue(SDL_DataQueue *queue, void *buf, const size_t len);
    34 size_t SDL_PeekIntoDataQueue(SDL_DataQueue *queue, void *buf, const size_t len);
    35 size_t SDL_CountDataQueue(SDL_DataQueue *queue);
    37 /* this sets a section of the data queue aside (possibly allocating memory for it)
    38    as if it's been written to, but returns a pointer to that space. You may write
    39    to this space until a read would consume it. Writes (and other calls to this
    40    function) will safely append their data after this reserved space and can
    41    be in flight at the same time. There is no thread safety.
    42    If there isn't an existing block of memory that can contain the reserved
    43    space, one will be allocated for it. You can not (currently) allocate
    44    a space larger than the packetlen requested in SDL_NewDataQueue.
    45    Returned buffer is uninitialized.
    46    This lets you avoid an extra copy in some cases, but it's safer to use
    47    SDL_WriteToDataQueue() unless you know what you're doing.
    48    Returns pointer to buffer of at least (len) bytes, NULL on error.
    49 */
    50 void *SDL_ReserveSpaceInDataQueue(SDL_DataQueue *queue, const size_t len);
    52 #endif /* SDL_dataqueue_h_ */
    54 /* vi: set ts=4 sw=4 expandtab: */