Backport of upstream fix: # HG changeset patch # User Sam Lantinga <slouken@libsdl.org> # Date 1560235821 25200 # Node ID 95fc7da55247a4368848144b9374a88a6494fd5c # Parent b1a80aec2b1037704b666d716505da6ba968cba9 Fixed TALOS-2019-0843 - XPM image color code code execution vulnerability By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution. --- sdl-image1.2-1.2.12.orig/IMG_xpm.c +++ sdl-image1.2-1.2.12/IMG_xpm.c @@ -373,6 +373,11 @@ static SDL_Surface *load_xpm(char **xpm, goto done; } + /* Check for allocation overflow */ + if ((size_t)(ncolors * cpp)/cpp != ncolors) { + error = "Invalid color specification"; + goto done; + } keystrings = malloc(ncolors * cpp); if(!keystrings) { error = "Out of memory";