Fixed bug 4628 - SEGV_UNKNOW in function SDL_free_REAL at SDL_malloc.c:5372-5

slouken · slouken · commit ee60e60adf54 · 2019-06-10T15:41:09.000-07:00
Hugo Lefeuvre

The PCX format specifies pcxh.BytesPerLine, which represents the size of a
single plane's scanline in bytes. Valid PCX images should have
pcxh.BytesPerLine &gt;= surface-&gt;pitch.

pcxh.BytesPerLine and surface-&gt;pitch can legitimately be different because
pcxh.BytesPerLine is padded to be a multiple of machine word length (where
file was created).

If src_bits == 8 we directly read a whole scanline from src to row. This is
a problem in the case where bpl &gt; surface-&gt;pitch because row is too small.

This allows attacker to perform unlimited OOB write on the heap.

+ remove pointless check bpl &gt; surface-&gt;pitch, this is a valid situation
+ make sure we always read into buf which is big enough
+ in the case where src_bits == 8: copy these bytes back to row afterwar
diff --git a/IMG_pcx.c b/IMG_pcx.c
@@ -156,22 +156,22 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *src)
     }
     surface = SDL_CreateRGBSurface(SDL_SWSURFACE, width, height,
                    bits, Rmask, Gmask, Bmask, Amask);
-    if ( surface == NULL )
+    if ( surface == NULL ) {
         goto done;
+    }
 
     bpl = pcxh.NPlanes * pcxh.BytesPerLine;
-    if ( bpl < 0 || bpl > surface->pitch ) {
-        error = "bytes per line is too large (corrupt?)";
+    buf = (Uint8 *)SDL_calloc(bpl, 1);
+    if ( !buf ) {
+        error = "Out of memory";
         goto done;
     }
-    buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
     row = (Uint8 *)surface->pixels;
     for ( y=0; y<surface->h; ++y ) {
         /* decode a scan line to a temporary buffer first */
         int i;
-        Uint8 *dst = buf;
         if ( pcxh.Encoding == 0 ) {
-            if ( !SDL_RWread(src, dst, bpl, 1) ) {
+            if ( !SDL_RWread(src, buf, bpl, 1) ) {
                 error = "file truncated";
                 goto done;
             }
@@ -192,7 +192,7 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *src)
                         }
                     }
                 }
-                dst[i] = ch;
+                buf[i] = ch;
                 count--;
             }
         }
@@ -214,13 +214,21 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *src)
                     }
                 }
             }
+        } else if ( src_bits == 8 ) {
+            /* directly copy buf content to row */
+            Uint8 *innerSrc = buf;
+            int x;
+            Uint8 *dst = row;
+            for ( x = 0; x < width; x++ ) {
+                *dst++ = *innerSrc++;
+            }
         } else if ( src_bits == 24 ) {
             /* de-interlace planes */
             Uint8 *innerSrc = buf;
             int plane;
             for ( plane = 0; plane < pcxh.NPlanes; plane++ ) {
                 int x;
-                dst = row + plane;
+                Uint8 *dst = row + plane;
                 for ( x = 0; x < width; x++ ) {
                     if ( dst >= row+surface->pitch ) {
                         error = "decoding out of bounds (corrupt?)";
@@ -230,8 +238,6 @@ SDL_Surface *IMG_LoadPCX_RW(SDL_RWops *src)
                     dst += pcxh.NPlanes;
                 }
             }
-        } else {
-            SDL_memcpy(row, buf, bpl);
         }
 
         row += surface->pitch;

Original file line number	Diff line number	Diff line change
`@@ -156,22 +156,22 @@ SDL_Surface IMG_LoadPCX_RW(SDL_RWops src)`
`156`	`156`	`}`
`157`	`157`	`surface = SDL_CreateRGBSurface(SDL_SWSURFACE, width, height,`
`158`	`158`	`bits, Rmask, Gmask, Bmask, Amask);`
`159`		`- if ( surface == NULL )`
	`159`	`+ if ( surface == NULL ) {`
`160`	`160`	`goto done;`
	`161`	`+ }`
`161`	`162`
`162`	`163`	`bpl = pcxh.NPlanes * pcxh.BytesPerLine;`
`163`		`- if ( bpl < 0 \|\| bpl > surface->pitch ) {`
`164`		`- error = "bytes per line is too large (corrupt?)";`
	`164`	`+ buf = (Uint8 *)SDL_calloc(bpl, 1);`
	`165`	`+ if ( !buf ) {`
	`166`	`+ error = "Out of memory";`
`165`	`167`	`goto done;`
`166`	`168`	`}`
`167`		`- buf = (Uint8 *)SDL_calloc(surface->pitch, 1);`
`168`	`169`	`row = (Uint8 *)surface->pixels;`
`169`	`170`	`for ( y=0; y<surface->h; ++y ) {`
`170`	`171`	`/* decode a scan line to a temporary buffer first */`
`171`	`172`	`int i;`
`172`		`- Uint8 *dst = buf;`
`173`	`173`	`if ( pcxh.Encoding == 0 ) {`
`174`		`- if ( !SDL_RWread(src, dst, bpl, 1) ) {`
	`174`	`+ if ( !SDL_RWread(src, buf, bpl, 1) ) {`
`175`	`175`	`error = "file truncated";`
`176`	`176`	`goto done;`
`177`	`177`	`}`
`@@ -192,7 +192,7 @@ SDL_Surface IMG_LoadPCX_RW(SDL_RWops src)`
`192`	`192`	`}`
`193`	`193`	`}`
`194`	`194`	`}`
`195`		`- dst[i] = ch;`
	`195`	`+ buf[i] = ch;`
`196`	`196`	`count--;`
`197`	`197`	`}`
`198`	`198`	`}`
`@@ -214,13 +214,21 @@ SDL_Surface IMG_LoadPCX_RW(SDL_RWops src)`
`214`	`214`	`}`
`215`	`215`	`}`
`216`	`216`	`}`
	`217`	`+ } else if ( src_bits == 8 ) {`
	`218`	`+ /* directly copy buf content to row */`
	`219`	`+ Uint8 *innerSrc = buf;`
	`220`	`+ int x;`
	`221`	`+ Uint8 *dst = row;`
	`222`	`+ for ( x = 0; x < width; x++ ) {`
	`223`	`+ dst++ = innerSrc++;`
	`224`	`+ }`
`217`	`225`	`} else if ( src_bits == 24 ) {`
`218`	`226`	`/* de-interlace planes */`
`219`	`227`	`Uint8 *innerSrc = buf;`
`220`	`228`	`int plane;`
`221`	`229`	`for ( plane = 0; plane < pcxh.NPlanes; plane++ ) {`
`222`	`230`	`int x;`
`223`		`- dst = row + plane;`
	`231`	`+ Uint8 *dst = row + plane;`
`224`	`232`	`for ( x = 0; x < width; x++ ) {`
`225`	`233`	`if ( dst >= row+surface->pitch ) {`
`226`	`234`	`error = "decoding out of bounds (corrupt?)";`
`@@ -230,8 +238,6 @@ SDL_Surface IMG_LoadPCX_RW(SDL_RWops src)`
`230`	`238`	`dst += pcxh.NPlanes;`
`231`	`239`	`}`
`232`	`240`	`}`
`233`		`- } else {`
`234`		`- SDL_memcpy(row, buf, bpl);`
`235`	`241`	`}`
`236`	`242`
`237`	`243`	`row += surface->pitch;`