This bug report was migrated from our old Bugzilla tracker.
Reported in version: 2.0.12 Reported for operating system, platform: All, x86_64
Comments on the original bug report:
On 2020-06-19 03:26:05 +0000, Carlos Andres Ramirez wrote:
This has recently been FIXED, added here for reference for all parties.
On June 17th, two security issues were reported to the SDL team in regards of (1) a Buffer Overflow in video/SDL_blit_N.c and (2) an Integer Overflow leading to Heap Corruption in video/SDL_blit_copy.c. As a result of both of these issues, an attacker could crash/DOS/take control of the application via an especially crafted .BMP file.
A patch was quickly released by the team.
DETAILS
After analysis of the PoC, both of the issues were fixed by doing several changes in three different parts of video/SDL_surface.c, which prevents the bad input from reaching the exploitable functions.
For reference, these have been assigned CVE IDs CVE-2020-14409 for the Integer Overflow/Heap Corruption and CVE-2020-14410 for the Out-of-Bounds Read BoF.
Carlos Andres Ramirez Catano
On 2020-06-19 17:35:53 +0000, Sam Lantinga wrote:
Thanks for the report!
FYI, the change to SDL_COMPILE_TIME_ASSERT() was not necessary and was rolled back in a later commit.
The text was updated successfully, but these errors were encountered:
This bug report was migrated from our old Bugzilla tracker.
Reported in version: 2.0.12
Reported for operating system, platform: All, x86_64
Comments on the original bug report:
On 2020-06-19 03:26:05 +0000, Carlos Andres Ramirez wrote:
On 2020-06-19 17:35:53 +0000, Sam Lantinga wrote:
The text was updated successfully, but these errors were encountered: