Skip to content

Commit

Permalink
bmp: backport CVE-2019-7635 (SDL bug 4498) fix from main 2.0 branch:
Browse files Browse the repository at this point in the history
  • Loading branch information
sezero committed Jul 10, 2019
1 parent 2048abf commit e31374d
Showing 1 changed file with 23 additions and 1 deletion.
24 changes: 23 additions & 1 deletion IMG_bmp.c
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,14 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
ExpandBMP = biBitCount;
biBitCount = 8;
break;
case 2:
case 3:
case 5:
case 6:
case 7:
IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
was_error = SDL_TRUE;
goto done;
default:
ExpandBMP = 0;
break;
Expand Down Expand Up @@ -444,7 +452,12 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
goto done;
}
}
*(bits+i) = (pixel>>shift);
bits[i] = (pixel >> shift);
if (bits[i] >= biClrUsed) {
IMG_SetError("A BMP image contains a pixel with a color out of the palette");
was_error = SDL_TRUE;
goto done;
}
pixel <<= ExpandBMP;
} }
break;
Expand All @@ -456,6 +469,15 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
was_error = SDL_TRUE;
goto done;
}
if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
for (i = 0; i < surface->w; ++i) {
if (bits[i] >= biClrUsed) {
IMG_SetError("A BMP image contains a pixel with a color out of the palette");
was_error = SDL_TRUE;
goto done;
}
}
}
#if SDL_BYTEORDER == SDL_BIG_ENDIAN
/* Byte-swap the pixels if needed. Note that the 24bpp
case has already been taken care of above. */
Expand Down

0 comments on commit e31374d

Please sign in to comment.