kc3-lang/SDL/src

Diff

• Show log

  Commit

• Hash : 892c8d50
  Author :
  Date : 2019-09-03T11:55:20
  

  Fixed bug 4536 - Heap-Buffer Overflow in SDL_GetRGB pertaining to SDL_pixels.c
  
  Ozkan Sezer
  
  As for the issue: This bmp reports bpp=0, therefore SDL_CalculatePitch()
  returns pitch==0, which is then fed to SDL_malloc() (which is malloc())
  and malloc(0) returns _something_ which is not NULL but not someting
  that we expect..  Then testsprite.c:LoadSprite() accesses the pixels
  as *(Uint8*)pixels which valrind reports as:
  
  ==15533== Invalid read of size 1
  ==15533==    at 0x8048C08: LoadSprite (testsprite.c:45)
  ==15533==    by 0x80492FC: main (testsprite.c:224)
  ==15533==  Address 0x449e588 is 0 bytes after a block of size 0 alloc'd
  ==15533==    at 0x40072B2: malloc (vg_replace_malloc.c:270)
  ==15533==    by 0x4045719: SDL_CreateRGBSurface (SDL_surface.c:126)
  ==15533==    by 0x40403C1: SDL_LoadBMP_RW (SDL_bmp.c:237)
  ==15533==    by 0x8048BB2: LoadSprite (testsprite.c:36)
  ==15533==    by 0x80492FC: main (testsprite.c:224)
  
  Besides, valrind also reports this:
  ==15533== Conditional jump or move depends on uninitialised value(s)
  ==15533==    at 0x40403F3: SDL_LoadBMP_RW (SDL_bmp.c:247)
  ==15533==    by 0x8048BB2: LoadSprite (testsprite.c:36)
  ==15533==    by 0x80492FC: main (testsprite.c:224)
  
  
  Easy/quick solution would be early-rejecting a bmp with 0 bpp from SDL_bmp.c:SDL_LoadBMP_RW()
  

• Files

• SDL.c
• SDL_assert.c
• SDL_assert_c.h
• SDL_dataqueue.c
• SDL_dataqueue.h
• SDL_error.c
• SDL_error_c.h
• SDL_hints.c
• SDL_internal.h
• SDL_log.c
• atomic/
• audio/
• core/
• cpuinfo/
• dynapi/
• events/
• file/
• filesystem/
• haptic/
• hidapi/
• joystick/
• libm/
• loadso/
• main/
• power/
• render/
• sensor/
• stdlib/
• test/
• thread/
• timer/
• video/

• Properties

• Git HTTP	https://git.kmx.io/kc3-lang/SDL.git
  Git SSH	git@git.kmx.io:kc3-lang/SDL.git
  Public access ?	public
  Description	Fork of https://github.com/libsdl-org/SDL
  Users
  Tags