Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2019-7635: Reject BMP images with pixel colors out the palette
If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors than the palette offers an SDL_Surface with a palette of the indicated number of used colors is created. If some of the image's pixel refer to a color number higher then the maximal used colors, a subsequent bliting operation on the surface will look up a color past a blit map (that is based on the palette) memory. I.e. passing such SDL_Surface to e.g. an SDL_DisplayFormat() function will result in a buffer overread in a blit function. This patch fixes it by validing each pixel's color to be less than the maximal color number in the palette. A validation failure raises an error from a SDL_LoadBMP_RW() function. CVE-2019-7635 https://bugzilla.libsdl.org/show_bug.cgi?id=4498 Signed-off-by: Petr P?sa? <ppisar@redhat.com>
- Loading branch information