-
Show log
Commit
-
Hash : 8bc59f87
Author :
Date : 2019-03-16T18:34:33
Fixed CVE-2019-7635 and bug 4498 - Heap-Buffer Overflow in Blit1to4 pertaining to SDL_blit_1.c Petr Pisar The root cause is that the POC BMP file declares 3 colors used and 4 bpp palette, but pixel at line 28 and column 1 (counted from 0) has color number 3. Then when the image loaded into a surface is passed to SDL_DisplayFormat(), in order to convert it to a video format, a used bliting function looks up a color number 3 in a 3-element long color bliting map. (The map obviously has the same number entries as the surface format has colors.) Proper fix should refuse broken BMP images that have a pixel with a color index higher than declared number of "used" colors. Possibly more advanced fix could try to relocate the out-of-range color index into a vacant index (if such exists).
-
Files
- SDL_RLEaccel.c
- SDL_RLEaccel_c.h
- SDL_blit.c
- SDL_blit.h
- SDL_blit_0.c
- SDL_blit_1.c
- SDL_blit_A.c
- SDL_blit_N.c
- SDL_blit_auto.c
- SDL_blit_auto.h
- SDL_blit_copy.c
- SDL_blit_copy.h
- SDL_blit_slow.c
- SDL_blit_slow.h
- SDL_bmp.c
- SDL_clipboard.c
- SDL_egl.c
- SDL_egl_c.h
- SDL_fillrect.c
- SDL_pixels.c
- SDL_pixels_c.h
- SDL_rect.c
- SDL_rect_c.h
- SDL_shape.c
- SDL_shape_internals.h
- SDL_stretch.c
- SDL_surface.c
- SDL_sysvideo.h
- SDL_video.c
- SDL_vulkan_internal.h
- SDL_vulkan_utils.c
- SDL_yuv.c
- SDL_yuv_c.h
- android/
- cocoa/
- directfb/
- dummy/
- emscripten/
- haiku/
- khronos/
- kmsdrm/
- nacl/
- pandora/
- psp/
- qnx/
- raspberry/
- sdlgenblit.pl
- uikit/
- vivante/
- wayland/
- windows/
- winrt/
- x11/
- yuv2rgb/
-
Properties
-
Git HTTP https://git.kmx.io/kc3-lang/SDL.git Git SSH git@git.kmx.io:kc3-lang/SDL.git Public access ? public Description Users
Tags
