Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c) Author: Sam Lantinga <slouken@libsdl.org> Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49 --- a/IMG_bmp.c 2019-07-23 11:59:17.032624113 -0300 +++ b/IMG_bmp.c 2019-07-23 12:01:39.804061761 -0300 @@ -292,6 +292,14 @@ ExpandBMP = biBitCount; biBitCount = 8; break; + case 2: + case 3: + case 5: + case 6: + case 7: + IMG_SetError("%d-bpp BMP images are not supported", biBitCount); + was_error = SDL_TRUE; + goto done; default: ExpandBMP = 0; break; @@ -444,7 +452,12 @@ goto done; } } - *(bits+i) = (pixel>>shift); + bits[i] = (pixel >> shift); + if (bits[i] >= biClrUsed) { + IMG_SetError("A BMP image contains a pixel with a color out of the palette"); + was_error = SDL_TRUE; + goto done; + } pixel <<= ExpandBMP; } } break; @@ -456,6 +469,15 @@ was_error = SDL_TRUE; goto done; } + if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) { + for (i = 0; i < surface->w; ++i) { + if (bits[i] >= biClrUsed) { + IMG_SetError("A BMP image contains a pixel with a color out of the palette"); + was_error = SDL_TRUE; + goto done; + } + } + } #if SDL_BYTEORDER == SDL_BIG_ENDIAN /* Byte-swap the pixels if needed. Note that the 24bpp case has already been taken care of above. */ @@ -650,6 +672,14 @@ Bmask = 0x000000FF; ExpandBMP = 0; break; + case 2: + case 3: + case 5: + case 6: + case 7: + SDL_SetError("%d-bpp BMP images are not supported", biBitCount); + was_error = SDL_TRUE; + goto done; default: IMG_SetError("ICO file with unsupported bit count"); was_error = SDL_TRUE;