Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c

slouken · slouken · commit ea4c4cfc28e1 · 2019-02-18T07:50:33.000-08:00
Petr Pisar

The reproducer has these data in BITMAPINFOHEADER:

biSize = 40
biBitCount = 8
biClrUsed = 131075

SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.
diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
@@ -313,6 +313,10 @@ SDL_LoadBMP_RW(SDL_RWops * src, int freesrc)
         SDL_assert(biBitCount <= 8);
         if (biClrUsed == 0) {
             biClrUsed = 1 << biBitCount;
+		} else if (biClrUsed > (1 << biBitCount)) {
+			SDL_SetError("BMP file has an invalid number of colors");
+			was_error = SDL_TRUE;
+			goto done;
         }
         if ((int) biClrUsed > palette->ncolors) {
             SDL_Color *colors;
