xpm: backport security and bug fixes from main 2.0 branch:

TALOS-2019-0843: XPM image color code code execution vulnerability TALOS-2019-0844: XPM image colorhash parsing Code Execution Vulnerability mainstream commits: https://hg.libsdl.org/SDL_image/rev/95fc7da55247 https://hg.libsdl.org/SDL_image/rev/26061e601c81
libsdl-org · Jul 10, 2019 · 2048abf · 2048abf
1 parent 59b4140
commit 2048abf
Showing 1 changed file with 26 additions and 6 deletions.
diff --git a/IMG_xpm.c b/IMG_xpm.c
@@ -106,7 +106,7 @@ static struct color_hash *create_colorhash(int maxnum)
 
 	/* we know how many entries we need, so we can allocate
 	   everything here */
-	hash = (struct color_hash *)malloc(sizeof *hash);
+	hash = (struct color_hash *)calloc(1, sizeof(*hash));
 	if(!hash)
 		return NULL;
 
@@ -115,15 +115,29 @@ static struct color_hash *create_colorhash(int maxnum)
 		;
 	hash->size = s;
 	hash->maxnum = maxnum;
+
 	bytes = hash->size * sizeof(struct hash_entry **);
-	hash->entries = NULL;	/* in case malloc fails */
-	hash->table = (struct hash_entry **)malloc(bytes);
+	/* Check for overflow */
+	if ((bytes / sizeof(struct hash_entry **)) != hash->size) {
+		IMG_SetError("memory allocation overflow");
+		free(hash);
+		return NULL;
+	}
+	hash->table = (struct hash_entry **)calloc(1, bytes);
 	if(!hash->table) {
 		free(hash);
 		return NULL;
 	}
-	memset(hash->table, 0, bytes);
-	hash->entries = (struct hash_entry *)malloc(maxnum * sizeof(struct hash_entry));
+
+	bytes = maxnum * sizeof(struct hash_entry);
+	/* Check for overflow */
+	if ((bytes / sizeof(struct hash_entry)) != maxnum) {
+		IMG_SetError("memory allocation overflow");
+		free(hash->table);
+		free(hash);
+		return NULL;
+	}
+	hash->entries = (struct hash_entry *)calloc(1, bytes);
 	if(!hash->entries) {
 		free(hash->table);
 		free(hash);
@@ -362,6 +376,11 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
 		goto done;
 	}
 
+	/* Check for allocation overflow */
+	if ((size_t)(ncolors * cpp)/cpp != ncolors) {
+		error = "Invalid color specification";
+		goto done;
+	}
 	keystrings = (char *)malloc(ncolors * cpp);
 	if(!keystrings) {
 		error = "Out of memory";
@@ -429,8 +448,9 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
 				c->g = (Uint8)(rgb >> 8);
 				c->b = (Uint8)(rgb);
 				pixel = index;
-			} else
+			} else {
 				pixel = rgb;
+			}
 			add_colorhash(colors, nextkey, cpp, pixel);
 			nextkey += cpp;
 			if(rgb == 0xffffffff)