Fixed TALOS-2019-0843 - XPM image color code code execution vulnerabi…

…lity By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.
libsdl-org · Jun 11, 2019 · 52b9d17 · 52b9d17
1 parent 0c1db6f
commit 52b9d17
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/IMG_xpm.c b/IMG_xpm.c
@@ -1026,6 +1026,11 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
         goto done;
     }
 
+    /* Check for allocation overflow */
+    if ((size_t)(ncolors * cpp)/cpp != ncolors) {
+        error = "Invalid color specification";
+        goto done;
+    }
     keystrings = (char *)SDL_malloc(ncolors * cpp);
     if (!keystrings) {
         error = "Out of memory";
@@ -1093,8 +1098,9 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
                 c->g = (Uint8)(rgb >> 8);
                 c->b = (Uint8)(rgb);
                 pixel = index;
-            } else
+            } else {
                 pixel = rgb;
+            }
             add_colorhash(colors, nextkey, cpp, pixel);
             nextkey += cpp;
             if (rgb == 0xffffffff)