Skip to content
Permalink
Browse files
Fixed TALOS-2019-0843 - XPM image color code code execution vulnerabi…
…lity

By providing a sufficiently large ncolors and cpp value, the buffer allocation size can overflow into a size too small to hold the color code string. This causes the memcpy to cause a heap overflow, potentially resulting in code execution.
  • Loading branch information
slouken committed Jun 11, 2019
1 parent 0c1db6f commit 52b9d17eaf7b121c92328ce5d70c22be5739b0be
Showing 1 changed file with 7 additions and 1 deletion.
@@ -1026,6 +1026,11 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
goto done;
}

/* Check for allocation overflow */
if ((size_t)(ncolors * cpp)/cpp != ncolors) {
error = "Invalid color specification";
goto done;
}
keystrings = (char *)SDL_malloc(ncolors * cpp);
if (!keystrings) {
error = "Out of memory";
@@ -1093,8 +1098,9 @@ static SDL_Surface *load_xpm(char **xpm, SDL_RWops *src)
c->g = (Uint8)(rgb >> 8);
c->b = (Uint8)(rgb);
pixel = index;
} else
} else {
pixel = rgb;
}
add_colorhash(colors, nextkey, cpp, pixel);
nextkey += cpp;
if (rgb == 0xffffffff)

0 comments on commit 52b9d17

Please sign in to comment.