# HG changeset patch # User Sam Lantinga <slouken@libsdl.org> # Date 1507329619 25200 # Node ID 318484db0705d07d4d1f4c0a1d3d5ea69f6ba2b0 # Parent 7ad06019831d474380fd5a63e518d21219031519 Fixed security vulnerability in XCF image loader (thanks Yves!) diff -r 7ad06019831d -r 318484db0705 IMG_xcf.c --- a/IMG_xcf.c Mon Sep 18 16:10:17 2017 -0700 +++ b/IMG_xcf.c Fri Oct 06 15:40:19 2017 -0700 @@ -251,6 +251,7 @@ } static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) { + Uint32 len; prop->id = SDL_ReadBE32 (src); prop->length = SDL_ReadBE32 (src); @@ -274,7 +275,12 @@ break; case PROP_COMPRESSION: case PROP_COLOR: - SDL_RWread (src, &prop->data, prop->length, 1); + if (prop->length > sizeof(prop->data)) { + len = sizeof(prop->data); + } else { + len = prop->length; + } + SDL_RWread(src, &prop->data, len, 1); break; case PROP_VISIBLE: prop->data.visible = SDL_ReadBE32 (src);