Tue, 11 Jun 2019 00:15:06 -0700Fixed TALOS-2019-0844 - XPM image colorhash parsing Code Execution Vulnerability
Sam Lantinga [Tue, 11 Jun 2019 00:15:06 -0700] rev 658
Fixed TALOS-2019-0844 - XPM image colorhash parsing Code Execution Vulnerability

The table entry in the color_hash is created in the create_colorhash function based on the number of colors passed into the function. The size of the color_hash table is the first value in the powers of 2 larger than the passed in number of colors [2]. The size of the allocation is this calculated value * 8 (sizeof(struct hash_entry **)) [3]. This multiplication can cause an overflow, resulting in a very small allocation.

Mon, 10 Jun 2019 23:50:21 -0700Fixed TALOS-2019-0843 - XPM image color code code execution vulnerability
Sam Lantinga [Mon, 10 Jun 2019 23:50:21 -0700] rev 657
Fixed TALOS-2019-0843 - XPM image color code code execution vulnerability

By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.

Mon, 10 Jun 2019 17:24:08 -0700Fixed TALOS-2019-0842 - XCF Image Code Execution Vulnerability
Sam Lantinga [Mon, 10 Jun 2019 17:24:08 -0700] rev 656
Fixed TALOS-2019-0842 - XCF Image Code Execution Vulnerability

Mon, 10 Jun 2019 16:49:12 -0700Added patch note for emscripten port
Sam Lantinga [Mon, 10 Jun 2019 16:49:12 -0700] rev 655
Added patch note for emscripten port

Mon, 10 Jun 2019 16:46:53 -0700IMG_Load should attempt to read from preloaded data (#7)
Amadeus [Mon, 10 Jun 2019 16:46:53 -0700] rev 654
IMG_Load should attempt to read from preloaded data (#7)

Mon, 10 Jun 2019 16:45:40 -0700Update emscripten building instructions
Charlie Birks [Mon, 10 Jun 2019 16:45:40 -0700] rev 653
Update emscripten building instructions
- Reccomend Emscripten ports
- Update repo
- More details about prefix

Mon, 10 Jun 2019 16:42:52 -0700Copy the pixel data into the surface
Brian Palmer [Mon, 10 Jun 2019 16:42:52 -0700] rev 652
Copy the pixel data into the surface
It was getting immediately freed out from underneath the surface, SDL_CreateRGBSurfaceFrom does not copy the pixel data.

Mon, 10 Jun 2019 16:42:16 -0700Add build instructions for emscripten
Sathyanarayanan Gunasekaran [Mon, 10 Jun 2019 16:42:16 -0700] rev 651
Add build instructions for emscripten
Fixes #1

Mon, 10 Jun 2019 16:41:40 -0700Port to emscripten
Sathyanarayanan Gunasekaran [Mon, 10 Jun 2019 16:41:40 -0700] rev 650
Port to emscripten
Patch from daft-freak

Mon, 10 Jun 2019 16:32:43 -0700Fixed bug 4451 - Loading GIFs on multiple threads returns garbage output and crashes
Sam Lantinga [Mon, 10 Jun 2019 16:32:43 -0700] rev 649
Fixed bug 4451 - Loading GIFs on multiple threads returns garbage output and crashes

David Lönnhager

It's due to the use of global variables and static local variables. A quick fix was moving all of that into a "state" struct and declaring it in IMG_LoadGIF_RW(), which apparently fixed the issue.