Skip to content
Permalink
Browse files
bmp: backport CVE-2019-7635 (SDL bug 4498) fix from main 2.0 branch:
  • Loading branch information
sezero committed Jul 10, 2019
1 parent 2048abf commit e31374d045594938670f65e8f2f864ce2fa15b9e
Showing with 23 additions and 1 deletion.
  1. +23 −1 IMG_bmp.c
@@ -292,6 +292,14 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
ExpandBMP = biBitCount;
biBitCount = 8;
break;
case 2:
case 3:
case 5:
case 6:
case 7:
IMG_SetError("%d-bpp BMP images are not supported", biBitCount);
was_error = SDL_TRUE;
goto done;
default:
ExpandBMP = 0;
break;
@@ -444,7 +452,12 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
goto done;
}
}
*(bits+i) = (pixel>>shift);
bits[i] = (pixel >> shift);
if (bits[i] >= biClrUsed) {
IMG_SetError("A BMP image contains a pixel with a color out of the palette");
was_error = SDL_TRUE;
goto done;
}
pixel <<= ExpandBMP;
} }
break;
@@ -456,6 +469,15 @@ static SDL_Surface *LoadBMP_RW (SDL_RWops *src, int freesrc)
was_error = SDL_TRUE;
goto done;
}
if (biBitCount == 8 && palette && biClrUsed < (1 << biBitCount)) {
for (i = 0; i < surface->w; ++i) {
if (bits[i] >= biClrUsed) {
IMG_SetError("A BMP image contains a pixel with a color out of the palette");
was_error = SDL_TRUE;
goto done;
}
}
}
#if SDL_BYTEORDER == SDL_BIG_ENDIAN
/* Byte-swap the pixels if needed. Note that the 24bpp
case has already been taken care of above. */

0 comments on commit e31374d

Please sign in to comment.