Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c

slouken · slouken · commit 3c6f20586bb4 · 2019-02-18T07:48:23.000-08:00
Petr Pisar

The reproducer has these data in BITMAPINFOHEADER:

biSize = 40
biBitCount = 8
biClrUsed = 131075

SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
@@ -233,6 +233,10 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 	if ( palette ) {
 		if ( biClrUsed == 0 ) {
 			biClrUsed = 1 << biBitCount;
+		} else if ( biClrUsed > (1 << biBitCount) ) {
+			SDL_SetError("BMP file has an invalid number of colors");
+			was_error = SDL_TRUE;
+			goto done;
 		}
 		if ( biSize == 12 ) {
 			for ( i = 0; i < (int)biClrUsed; ++i ) {
