Fixed security vulnerability in XCF image loader (thanks Yves!)

libsdl-org · Oct 6, 2017 · e772367 · e772367
1 parent 045d7b9
commit e772367
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -1,4 +1,6 @@
 2.0.2:
+Yves Younan - Fri, Oct  6, 2017  3:38:38 PM
+ * Fixed security vulnerability in XCF image loader
 Alexey - Tue Sep 12 00:41:53 PDT 2017
  * Added optional support for loading images using Windows Imaging Component
 Fabian Greffrath - Tue Sep 12 00:15:56 PDT 2017

diff --git a/IMG_xcf.c b/IMG_xcf.c
@@ -251,6 +251,7 @@ static Uint32 Swap32 (Uint32 v) {
 }
 
 static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
+  Uint32 len;
   prop->id = SDL_ReadBE32 (src);
   prop->length = SDL_ReadBE32 (src);
 
@@ -274,7 +275,12 @@ static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
     break;
   case PROP_COMPRESSION:
   case PROP_COLOR:
-    SDL_RWread (src, &prop->data, prop->length, 1);
+    if (prop->length > sizeof(prop->data)) {
+        len = sizeof(prop->data);
+    } else {
+        len = prop->length;
+    }
+    SDL_RWread(src, &prop->data, len, 1);
     break;
   case PROP_VISIBLE:
     prop->data.visible = SDL_ReadBE32 (src);