mirror
/
SDL
mirror of https://github.com/libsdl-org/SDL.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
SDL/src
History
Sam Lantinga 892c8d5058 Fixed bug 4536 - Heap-Buffer Overflow in SDL_GetRGB pertaining to SDL_pixels.c 
Ozkan Sezer

As for the issue: This bmp reports bpp=0, therefore SDL_CalculatePitch()
returns pitch==0, which is then fed to SDL_malloc() (which is malloc())
and malloc(0) returns _something_ which is not NULL but not someting
that we expect..  Then testsprite.c:LoadSprite() accesses the pixels
as *(Uint8*)pixels which valrind reports as:

==15533== Invalid read of size 1
==15533==    at 0x8048C08: LoadSprite (testsprite.c:45)
==15533==    by 0x80492FC: main (testsprite.c:224)
==15533==  Address 0x449e588 is 0 bytes after a block of size 0 alloc'd
==15533==    at 0x40072B2: malloc (vg_replace_malloc.c:270)
==15533==    by 0x4045719: SDL_CreateRGBSurface (SDL_surface.c:126)
==15533==    by 0x40403C1: SDL_LoadBMP_RW (SDL_bmp.c:237)
==15533==    by 0x8048BB2: LoadSprite (testsprite.c:36)
==15533==    by 0x80492FC: main (testsprite.c:224)

Besides, valrind also reports this:
==15533== Conditional jump or move depends on uninitialised value(s)
==15533==    at 0x40403F3: SDL_LoadBMP_RW (SDL_bmp.c:247)
==15533==    by 0x8048BB2: LoadSprite (testsprite.c:36)
==15533==    by 0x80492FC: main (testsprite.c:224)


Easy/quick solution would be early-rejecting a bmp with 0 bpp from SDL_bmp.c:SDL_LoadBMP_RW()
 		2019-09-03 11:55:20 -07:00
..
atomic Fixed memory barrier macro check so it isn't quite so fragile 2019-06-30 23:58:31 -07:00
audio Android: fix corresponding warnings 2019-08-30 08:55:20 +02:00
core use 'U' suffix on constants instead of (unsigned int) cast. 2019-08-30 11:35:20 +03:00
cpuinfo Fixed bug 4557 - SDL_SIMDAlloc and *Free should be in the public interface 2019-06-08 14:54:37 -07:00
dynapi Android: fix corresponding warnings 2019-08-30 08:55:20 +02:00
events Android: fix corresponding warnings 2019-08-30 08:55:20 +02:00
file minor build fix. 2019-07-31 01:19:26 +03:00
filesystem Fixed bug 4726 - Fix for tvOS GetPrefPath 2019-07-18 19:33:17 -07:00
haptic Updated copyright for 2019 2019-01-04 22:01:14 -08:00
hidapi Prevent the SPEEDLINK COMPETITION PRO joystick from switching into Android controller mode when enumerated over HID on Windows 10. 2019-08-22 15:58:00 -07:00
joystick use 'U' suffix on constants instead of (unsigned int) cast. 2019-08-30 11:35:20 +03:00
libm Updated copyright for 2019 2019-01-04 22:01:14 -08:00
loadso Updated copyright for 2019 2019-01-04 22:01:14 -08:00
main minor whitespace tidy-up. 2019-07-31 19:40:50 +03:00
power Updated copyright for 2019 2019-01-04 22:01:14 -08:00
render direct3d: Be more aggressive about resetting state when textures go away. 2019-09-02 00:11:58 -04:00
sensor Updated copyright for 2019 2019-01-04 22:01:14 -08:00
stdlib better readability.. 2019-07-31 00:07:15 +03:00
test use SDL_zeroa at more places where the argument is an array. 2019-07-31 05:11:40 +03:00
thread Hopefully fixed the mingw32 build 2019-03-19 17:20:54 -07:00
timer Updated copyright for 2019 2019-01-04 22:01:14 -08:00
video Fixed bug 4536 - Heap-Buffer Overflow in SDL_GetRGB pertaining to SDL_pixels.c 2019-09-03 11:55:20 -07:00
SDL.c events: Make debug logging of the event queue a hint instead of an #ifdef. 2019-03-15 14:08:30 -04:00
SDL_assert.c minor build fixes. 2019-07-31 00:05:28 +03:00
SDL_assert_c.h Updated copyright for 2019 2019-01-04 22:01:14 -08:00
SDL_dataqueue.c Updated copyright for 2019 2019-01-04 22:01:14 -08:00
SDL_dataqueue.h Updated copyright for 2019 2019-01-04 22:01:14 -08:00
SDL_error.c Fix DirectInput error codes being lost 2019-03-16 18:11:09 -07:00
SDL_error_c.h Updated copyright for 2019 2019-01-04 22:01:14 -08:00
SDL_hints.c Updated copyright for 2019 2019-01-04 22:01:14 -08:00
SDL_internal.h Updated copyright for 2019 2019-01-04 22:01:14 -08:00
SDL_log.c Copypaste SDL_NSLog to UIKit backend, document it as such 2019-07-17 23:20:57 -04:00