commit | 6fe58e12b33d840f07bf8706fb2571396afc4470 | [log] [tgz] |
---|---|---|
author | Sam Lantinga <slouken@libsdl.org> | Mon Feb 18 07:50:33 2019 -0800 |
committer | Sam Lantinga <slouken@libsdl.org> | Mon Feb 18 07:50:33 2019 -0800 |
tree | f7a01a33bc5eb3a72ccf6f67edbb0ffc585d8277 | |
parent | ee94bad7f8608549ca58ea69a0e24aa98c570048 [diff] |
Fixed bug 4500 - Heap-Buffer Overflow in Map1toN pertaining to SDL_pixels.c Petr Pisar The reproducer has these data in BITMAPINFOHEADER: biSize = 40 biBitCount = 8 biClrUsed = 131075 SDL_LoadBMP_RW() function passes biBitCount as a color depth to SDL_CreateRGBSurface(), thus 256-color pallete is allocated. But then biClrUsed colors are read from a file and stored into the palette. SDL_LoadBMP_RW should report an error if biClrUsed is greater than 2^biBitCount.