diff options
author | Jason M. Bills <jason.m.bills@linux.intel.com> | 2019-10-22 23:54:16 +0300 |
---|---|---|
committer | Jason M. Bills <jason.m.bills@linux.intel.com> | 2019-10-22 23:54:16 +0300 |
commit | 9722c6ee87766a45a337c094d1293de81cdcb106 (patch) | |
tree | 08b57716ae3c02fef2bc870b634019e692fd70e6 /meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch | |
parent | 35e295e2a161fcf146ea031de53431b2888521fa (diff) | |
parent | 5b6cc97bf138293b6af12d5d3003bb66c700c48a (diff) | |
download | openbmc-9722c6ee87766a45a337c094d1293de81cdcb106.tar.xz |
Merge branch 'master' of ssh://git-amr-1.devtools.intel.com:29418/openbmc-openbmc into HEAD
Diffstat (limited to 'meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch')
-rw-r--r-- | meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch b/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch new file mode 100644 index 000000000..78af1b061 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch @@ -0,0 +1,63 @@ +# HG changeset patch +# User Petr Písař <ppisar@redhat.com> +# Date 1560259692 25200 +# Tue Jun 11 06:28:12 2019 -0700 +# Branch SDL-1.2 +# Node ID f1f5878be5dbf63c1161a8ee52b8a86ece30e552 +# Parent a936f9bd3e381d67d8ddee8b9243f85799ea4798 +CVE-2019-7635: Reject BMP images with pixel colors out the palette +If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors +than the palette offers an SDL_Surface with a palette of the indicated +number of used colors is created. If some of the image's pixel +refer to a color number higher then the maximal used colors, a subsequent +bliting operation on the surface will look up a color past a blit map +(that is based on the palette) memory. I.e. passing such SDL_Surface +to e.g. an SDL_DisplayFormat() function will result in a buffer overread in +a blit function. + +This patch fixes it by validing each pixel's color to be less than the +maximal color number in the palette. A validation failure raises an +error from a SDL_LoadBMP_RW() function. + +CVE-2019-7635 +https://bugzilla.libsdl.org/show_bug.cgi?id=4498 + +Signed-off-by: Petr Písař <ppisar@redhat.com> + +CVE: CVE-2019-7635 +Upstream-Status: Backport +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +diff -r a936f9bd3e38 -r f1f5878be5db src/video/SDL_bmp.c +--- a/src/video/SDL_bmp.c Mon Jun 10 09:25:05 2019 -0700 ++++ b/src/video/SDL_bmp.c Tue Jun 11 06:28:12 2019 -0700 +@@ -308,6 +308,12 @@ + } + *(bits+i) = (pixel>>shift); + pixel <<= ExpandBMP; ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } + } } + break; + +@@ -318,6 +324,16 @@ + was_error = SDL_TRUE; + goto done; + } ++ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { ++ for ( i=0; i<surface->w; ++i ) { ++ if ( bits[i] >= biClrUsed ) { ++ SDL_SetError( ++ "A BMP image contains a pixel with a color out of the palette"); ++ was_error = SDL_TRUE; ++ goto done; ++ } ++ } ++ } + #if SDL_BYTEORDER == SDL_BIG_ENDIAN + /* Byte-swap the pixels if needed. Note that the 24bpp + case has already been taken care of above. */ |