Subject: fix Heap-Buffer Overflow in Blit1to4 (IMG_bmp.c)
Author: Sam Lantinga <slouken@libsdl.org>
Origin: upstream, https://hg.libsdl.org/SDL_image/rev/03bd33e8cb49
--- a/IMG_bmp.c	2019-07-23 11:59:17.032624113 -0300
+++ b/IMG_bmp.c	2019-07-23 12:01:39.804061761 -0300
@@ -292,6 +292,14 @@
 			ExpandBMP = biBitCount;
 			biBitCount = 8;
 			break;
+		case 2:
+		case 3:
+		case 5:
+		case 6:
+		case 7:
+			IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
+			was_error = SDL_TRUE;
+			goto done;
 		default:
 			ExpandBMP = 0;
 			break;
@@ -444,7 +452,12 @@
 						goto done;
 					}
 				}
-				*(bits+i) = (pixel>>shift);
+				bits[i] = (pixel >> shift);
+				if (bits[i] >= biClrUsed) {
+					IMG_SetError("A BMP image contains a pixel with a color out of the palette");
+					was_error = SDL_TRUE;
+					goto done;
+				}
 				pixel <<= ExpandBMP;
 			} }
 			break;
@@ -456,6 +469,15 @@
 				was_error = SDL_TRUE;
 				goto done;
 			}
+			if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
+				for (i = 0; i < surface->w; ++i) {
+					if (bits[i] >= biClrUsed) {
+						IMG_SetError("A BMP image contains a pixel with a color out of the palette");
+						was_error = SDL_TRUE;
+						goto done;
+					}
+				}
+			}
 #if SDL_BYTEORDER == SDL_BIG_ENDIAN
 			/* Byte-swap the pixels if needed. Note that the 24bpp
 			   case has already been taken care of above. */
@@ -650,6 +672,14 @@
             Bmask = 0x000000FF;
             ExpandBMP = 0;
             break;
+        case 2:
+        case 3:
+        case 5:
+        case 6:
+        case 7:
+            SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
+            was_error = SDL_TRUE;
+            goto done;
         default:
             IMG_SetError("ICO file with unsupported bit count");
             was_error = SDL_TRUE;