CVE-2019-7635: Reject BMP images with pixel colors out the palette

If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors
than the palette offers an SDL_Surface with a palette of the indicated
number of used colors is created. If some of the image's pixel
refer to a color number higher then the maximal used colors, a subsequent
bliting operation on the surface will look up a color past a blit map
(that is based on the palette) memory. I.e. passing such SDL_Surface
to e.g. an SDL_DisplayFormat() function will result in a buffer overread in
a blit function.

This patch fixes it by validing each pixel's color to be less than the
maximal color number in the palette. A validation failure raises an
error from a SDL_LoadBMP_RW() function.

CVE-2019-7635
https://bugzilla.libsdl.org/show_bug.cgi?id=4498

Signed-off-by: Petr P?sa? <ppisar@redhat.com>

src/video/SDL_bmp.c

@@ -308,6 +308,12 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 				}
 				*(bits+i) = (pixel>>shift);
 				pixel <<= ExpandBMP;
+				if ( bits[i] >= biClrUsed ) {
+					SDL_SetError(
+						"A BMP image contains a pixel with a color out of the palette");
+					was_error = SDL_TRUE;
+					goto done;
+				}
 			} }
 			break;
 
@@ -318,6 +324,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 				was_error = SDL_TRUE;
 				goto done;
 			}
+			if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
+				for ( i=0; i<surface->w; ++i ) {
+					if ( bits[i] >= biClrUsed ) {
+						SDL_SetError(
+							"A BMP image contains a pixel with a color out of the palette");
+						was_error = SDL_TRUE;
+						goto done;
+					}
+				}
+			}
 #if SDL_BYTEORDER == SDL_BIG_ENDIAN
 			/* Byte-swap the pixels if needed. Note that the 24bpp
 			   case has already been taken care of above. */