Overview

File CVE-2019-7635.patch of Package SDL2.23596

diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index ba908a6..78a9904 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -246,6 +246,14 @@ SDL_LoadBMP_RW(SDL_RWops * src, int freesrc)
         ExpandBMP = biBitCount;
         biBitCount = 8;
         break;
+    case 2:
+    case 3:
+    case 5:
+    case 6:
+    case 7:
+        SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
+        was_error = SDL_TRUE;
+        goto done;        
     default:
         ExpandBMP = 0;
         break;
@@ -396,6 +404,11 @@ SDL_LoadBMP_RW(SDL_RWops * src, int freesrc)
                     }
                     *(bits + i) = (pixel >> shift);
                     pixel <<= ExpandBMP;
+                    if ( bits[i] >= biClrUsed ) {
+                        SDL_SetError("A BMP image contains a pixel with a color out of the palette");
+                        was_error = SDL_TRUE;
+                        goto done;
+                    }
                 }
             }
             break;
@@ -407,6 +420,16 @@ SDL_LoadBMP_RW(SDL_RWops * src, int freesrc)
                 was_error = SDL_TRUE;
                 goto done;
             }
+            if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
+                for ( i=0; i<surface->w; ++i ) {
+                    if ( bits[i] >= biClrUsed ) {
+                        SDL_SetError(
+                            "A BMP image contains a pixel with a color out of the palette");
+                        was_error = SDL_TRUE;
+                        goto done;
+                    }
+                }
+            }
 #if SDL_BYTEORDER == SDL_BIG_ENDIAN
             /* Byte-swap the pixels if needed. Note that the 24bpp
                case has already been taken care of above. */
openSUSE Build Service is sponsored by
Places