This bug report was migrated from our old Bugzilla tracker.
Reported in version: 2.0.12 Reported for operating system, platform: All, x86_64
Comments on the original bug report:
On 2020-06-19 03:26:05 +0000, Carlos Andres Ramirez wrote:
This has recently been FIXED, added here for reference for all parties.
On June 17th, two security issues were reported to the SDL team in regards of (1) a Buffer Overflow in video/SDL_blit_N.c and (2) an Integer Overflow leading to Heap Corruption in video/SDL_blit_copy.c. As a result of both of these issues, an attacker could crash/DOS/take control of the application via an especially crafted .BMP file.
A patch was quickly released by the team.
After analysis of the PoC, both of the issues were fixed by doing several changes in three different parts of video/SDL_surface.c, which prevents the bad input from reaching the exploitable functions.