From: Ryan C. Gordon <icculus@icculus.org> Date: Sun, 4 Nov 2018 23:56:44 +0000 Subject: CVE-2018-3977 xcf: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file. https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8 --- IMG_xcf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/IMG_xcf.c b/IMG_xcf.c index 064e641..93b6929 100644 --- a/IMG_xcf.c +++ b/IMG_xcf.c @@ -634,6 +634,9 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header p16 = (Uint16 *) p8; p = (Uint32 *) p8; for (y=ty; y < ty+oy; y++) { + if ((ty >= surface->h) || ((tx+ox) > surface->w)) { + break; + } row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4); switch (hierarchy->bpp) { case 4: