Skip to content

Commit e4ef188

Browse files
committed
Fixed bug 3890 - Incomplete fix for CVE-2017-2888
Felix Geyer http://hg.libsdl.org/SDL/rev/a31ee4d64ff6 tries to fix CVE-2017-2888. Unfortunately compilers may optimize the second condition "(size / surface->pitch) != surface->h" away. See https://bugzilla.redhat.com/show_bug.cgi?id=1500623#c2 I've verified that this is also the case on Debian unstable (gcc 7.2).
1 parent a225ffc commit e4ef188

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

src/video/SDL_surface.c

+8-3
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,10 @@ SDL_ConvertPixels_ARGB8888_to_YUV(int width, int height,
3737
const void *src, int src_pitch,
3838
Uint32 dst_format, void *dst);
3939

40+
/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */
41+
SDL_COMPILE_TIME_ASSERT(surface_size_assumptions,
42+
sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32));
43+
4044
/* Public routines */
4145

4246
/*
@@ -91,15 +95,16 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth,
9195

9296
/* Get the pixels */
9397
if (surface->w && surface->h) {
94-
int size = (surface->h * surface->pitch);
95-
if (size < 0 || (size / surface->pitch) != surface->h) {
98+
/* Assumptions checked in surface_size_assumptions assert above */
99+
Sint64 size = ((Sint64)surface->h * surface->pitch);
100+
if (size < 0 || size > SDL_MAX_SINT32) {
96101
/* Overflow... */
97102
SDL_FreeSurface(surface);
98103
SDL_OutOfMemory();
99104
return NULL;
100105
}
101106

102-
surface->pixels = SDL_malloc(size);
107+
surface->pixels = SDL_malloc((size_t)size);
103108
if (!surface->pixels) {
104109
SDL_FreeSurface(surface);
105110
SDL_OutOfMemory();

0 commit comments

Comments
 (0)