Sophie

Sophie

distrib > Mageia > 8 > x86_64 > by-pkgid > a48407b9ae23d07a9f26b820f1a114a4 > files > 17

SDL_image-1.2.12-14.mga8.src.rpm

Backport of upstream fix:

# HG changeset patch
# User Sam Lantinga <slouken@libsdl.org>
# Date 1560235821 25200
# Node ID 95fc7da55247a4368848144b9374a88a6494fd5c
# Parent  b1a80aec2b1037704b666d716505da6ba968cba9
Fixed TALOS-2019-0843 - XPM image color code code execution vulnerability

By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.

--- sdl-image1.2-1.2.12.orig/IMG_xpm.c
+++ sdl-image1.2-1.2.12/IMG_xpm.c
@@ -373,6 +373,11 @@ static SDL_Surface *load_xpm(char **xpm,
 		goto done;
 	}
 
+	/* Check for allocation overflow */
+	if ((size_t)(ncolors * cpp)/cpp != ncolors) {
+		error = "Invalid color specification";
+		goto done;
+	}
 	keystrings = malloc(ncolors * cpp);
 	if(!keystrings) {
 		error = "Out of memory";

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional