Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-14409 and CVE-2020-14410 #3745

Closed
SDLBugzilla opened this issue Feb 11, 2021 · 0 comments
Closed

CVE-2020-14409 and CVE-2020-14410 #3745

SDLBugzilla opened this issue Feb 11, 2021 · 0 comments
Labels

Comments

@SDLBugzilla
Copy link
Collaborator

@SDLBugzilla SDLBugzilla commented Feb 11, 2021

This bug report was migrated from our old Bugzilla tracker.

Reported in version: 2.0.12
Reported for operating system, platform: All, x86_64

Comments on the original bug report:

On 2020-06-19 03:26:05 +0000, Carlos Andres Ramirez wrote:

This has recently been FIXED, added here for reference for all parties.

On June 17th, two security issues were reported to the SDL team in regards of (1) a Buffer Overflow in video/SDL_blit_N.c and (2) an Integer Overflow leading to Heap Corruption in video/SDL_blit_copy.c. As a result of both of these issues, an attacker could crash/DOS/take control of the application via an especially crafted .BMP file.

A patch was quickly released by the team.

DETAILS
After analysis of the PoC, both of the issues were fixed by doing several changes in three different parts of video/SDL_surface.c, which prevents the bad input from reaching the exploitable functions.

Changed in SDL_surface.c

For reference, these have been assigned CVE IDs CVE-2020-14409 for the Integer Overflow/Heap Corruption and CVE-2020-14410 for the Out-of-Bounds Read BoF.


Carlos Andres Ramirez Catano

On 2020-06-19 17:35:53 +0000, Sam Lantinga wrote:

Thanks for the report!

FYI, the change to SDL_COMPILE_TIME_ASSERT() was not necessary and was rolled back in a later commit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant