Hi SDL maintainers & security team,
> libsdl2-image: CVE-2018-3977: do_layer_surface code execution
> vulnerability
The attached patches apply cleanly to jessie, stretch and sid
respectfully. (Looks like they reformatted their code later on.)
I am happy to upload handle jessie, but I can also work on the
stable/sid releases too if you wish; please let me know.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
--- libsdl2-image-2.0.1+dfsg.orig/IMG_xcf.c
+++ libsdl2-image-2.0.1+dfsg/IMG_xcf.c
@@ -637,6 +637,9 @@ static int do_layer_surface (SDL_Surface
p16 = (Uint16 *) p8;
p = (Uint32 *) p8;
for (y=ty; y < ty+oy; y++) {
+ if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
+ break;
+ }
row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
switch (hierarchy->bpp) {
case 4:
--- libsdl2-image-2.0.3+dfsg1.orig/IMG_xcf.c
+++ libsdl2-image-2.0.3+dfsg1/IMG_xcf.c
@@ -638,6 +638,9 @@ do_layer_surface(SDL_Surface * surface,
p16 = (Uint16 *) p8;
p = (Uint32 *) p8;
for (y = ty; y < ty + oy; y++) {
+ if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
+ break;
+ }
row = (Uint32 *) ((Uint8 *) surface->pixels + y * surface->pitch + tx * 4);
switch (hierarchy->bpp) {
case 4:
--- libsdl2-image-2.0.0+dfsg.orig/IMG_xcf.c
+++ libsdl2-image-2.0.0+dfsg/IMG_xcf.c
@@ -637,6 +637,9 @@ static int do_layer_surface (SDL_Surface
p16 = (Uint16 *) p8;
p = (Uint32 *) p8;
for (y=ty; y < ty+oy; y++) {
+ if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
+ break;
+ }
row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
switch (hierarchy->bpp) {
case 4:
