Hi SDL maintainers & security team, > libsdl2-image: CVE-2018-3977: do_layer_surface code execution > vulnerability
The attached patches apply cleanly to jessie, stretch and sid respectfully. (Looks like they reformatted their code later on.) I am happy to upload handle jessie, but I can also work on the stable/sid releases too if you wish; please let me know. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
--- libsdl2-image-2.0.1+dfsg.orig/IMG_xcf.c +++ libsdl2-image-2.0.1+dfsg/IMG_xcf.c @@ -637,6 +637,9 @@ static int do_layer_surface (SDL_Surface p16 = (Uint16 *) p8; p = (Uint32 *) p8; for (y=ty; y < ty+oy; y++) { + if ((ty >= surface->h) || ((tx+ox) > surface->w)) { + break; + } row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4); switch (hierarchy->bpp) { case 4:
--- libsdl2-image-2.0.3+dfsg1.orig/IMG_xcf.c +++ libsdl2-image-2.0.3+dfsg1/IMG_xcf.c @@ -638,6 +638,9 @@ do_layer_surface(SDL_Surface * surface, p16 = (Uint16 *) p8; p = (Uint32 *) p8; for (y = ty; y < ty + oy; y++) { + if ((ty >= surface->h) || ((tx+ox) > surface->w)) { + break; + } row = (Uint32 *) ((Uint8 *) surface->pixels + y * surface->pitch + tx * 4); switch (hierarchy->bpp) { case 4:
--- libsdl2-image-2.0.0+dfsg.orig/IMG_xcf.c +++ libsdl2-image-2.0.0+dfsg/IMG_xcf.c @@ -637,6 +637,9 @@ static int do_layer_surface (SDL_Surface p16 = (Uint16 *) p8; p = (Uint32 *) p8; for (y=ty; y < ty+oy; y++) { + if ((ty >= surface->h) || ((tx+ox) > surface->w)) { + break; + } row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4); switch (hierarchy->bpp) { case 4: