diff options
| author |   takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
|---|---|---|
| committer | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
| commit | 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf (patch) | |
| tree | cd70a267a5ef105ba32f200aa088e281fbd85747 /external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch | |
| parent | 4204309872da5cb401cbb2729d9e2d4869a87f42 (diff) | |
basesystem-jjsandbox/ToshikazuOhiwa/master-jj
recipes
Diffstat (limited to 'external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch')
| -rw-r--r-- | external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch b/external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch deleted file mode 100644 index 78af1b06..00000000 --- a/external/poky/meta/recipes-graphics/libsdl/libsdl-1.2.15/CVE-2019-7635.patch +++ /dev/null @@ -1,63 +0,0 @@ -# HG changeset patch -# User Petr Písař <ppisar@redhat.com> -# Date 1560259692 25200 -# Tue Jun 11 06:28:12 2019 -0700 -# Branch SDL-1.2 -# Node ID f1f5878be5dbf63c1161a8ee52b8a86ece30e552 -# Parent a936f9bd3e381d67d8ddee8b9243f85799ea4798 -CVE-2019-7635: Reject BMP images with pixel colors out the palette -If a 1-, 4-, or 8-bit per pixel BMP image declares less used colors -than the palette offers an SDL_Surface with a palette of the indicated -number of used colors is created. If some of the image's pixel -refer to a color number higher then the maximal used colors, a subsequent -bliting operation on the surface will look up a color past a blit map -(that is based on the palette) memory. I.e. passing such SDL_Surface -to e.g. an SDL_DisplayFormat() function will result in a buffer overread in -a blit function. - -This patch fixes it by validing each pixel's color to be less than the -maximal color number in the palette. A validation failure raises an -error from a SDL_LoadBMP_RW() function. - -CVE-2019-7635 -https://bugzilla.libsdl.org/show_bug.cgi?id=4498 - -Signed-off-by: Petr Písař <ppisar@redhat.com> - -CVE: CVE-2019-7635 -Upstream-Status: Backport -Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> - -diff -r a936f9bd3e38 -r f1f5878be5db src/video/SDL_bmp.c ---- a/src/video/SDL_bmp.c Mon Jun 10 09:25:05 2019 -0700 -+++ b/src/video/SDL_bmp.c Tue Jun 11 06:28:12 2019 -0700 -@@ -308,6 +308,12 @@ - } - *(bits+i) = (pixel>>shift); - pixel <<= ExpandBMP; -+ if ( bits[i] >= biClrUsed ) { -+ SDL_SetError( -+ "A BMP image contains a pixel with a color out of the palette"); -+ was_error = SDL_TRUE; -+ goto done; -+ } - } } - break; - -@@ -318,6 +324,16 @@ - was_error = SDL_TRUE; - goto done; - } -+ if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) { -+ for ( i=0; i<surface->w; ++i ) { -+ if ( bits[i] >= biClrUsed ) { -+ SDL_SetError( -+ "A BMP image contains a pixel with a color out of the palette"); -+ was_error = SDL_TRUE; -+ goto done; -+ } -+ } -+ } - #if SDL_BYTEORDER == SDL_BIG_ENDIAN - /* Byte-swap the pixels if needed. Note that the 24bpp - case has already been taken care of above. */ |