From 52b9d17eaf7b121c92328ce5d70c22be5739b0be Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Mon, 10 Jun 2019 23:50:21 -0700
Subject: [PATCH] Fixed TALOS-2019-0843 - XPM image color code code execution
 vulnerability

By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.
---
 IMG_xpm.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/IMG_xpm.c b/IMG_xpm.c
index 7446d087..0ab6a52c 100644
--- a/IMG_xpm.c
+++ b/IMG_xpm.c
@@ -1026,6 +1026,11 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
         goto done;
     }
 
+    /* Check for allocation overflow */
+    if ((size_t)(ncolors * cpp)/cpp != ncolors) {
+        error = "Invalid color specification";
+        goto done;
+    }
     keystrings = (char *)SDL_malloc(ncolors * cpp);
     if (!keystrings) {
         error = "Out of memory";
@@ -1093,8 +1098,9 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
                 c->g = (Uint8)(rgb >> 8);
                 c->b = (Uint8)(rgb);
                 pixel = index;
-            } else
+            } else {
                 pixel = rgb;
+            }
             add_colorhash(colors, nextkey, cpp, pixel);
             nextkey += cpp;
             if (rgb == 0xffffffff)