Overview

File CVE-2019-7635.patch of Package SDL.12361

diff --git a/src/video/SDL_bmp.c b/src/video/SDL_bmp.c
index d56cfd8..6f6dedf 100644
--- a/src/video/SDL_bmp.c
+++ b/src/video/SDL_bmp.c
@@ -163,6 +163,14 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 			ExpandBMP = biBitCount;
 			biBitCount = 8;
 			break;
+		case 2:
+		case 3:
+		case 5:
+		case 6:
+		case 7:
+			SDL_SetError("%d-bpp BMP images are not supported", biBitCount);
+			was_error = SDL_TRUE;
+			goto done;	
 		default:
 			ExpandBMP = 0;
 			break;
@@ -296,6 +304,11 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 				}
 				*(bits+i) = (pixel>>shift);
 				pixel <<= ExpandBMP;
+				if ( bits[i] >= biClrUsed ) {
+					SDL_SetError("A BMP image contains a pixel with a color out of the palette");
+					was_error = SDL_TRUE;
+					goto done;
+				}
 			} }
 			break;
 
@@ -306,6 +319,16 @@ SDL_Surface * SDL_LoadBMP_RW (SDL_RWops *src, int freesrc)
 				was_error = SDL_TRUE;
 				goto done;
 			}
+			if ( 8 == biBitCount && palette && biClrUsed < (1 << biBitCount ) ) {
+				for ( i=0; i<surface->w; ++i ) {
+					if ( bits[i] >= biClrUsed ) {
+						SDL_SetError(
+							"A BMP image contains a pixel with a color out of the palette");
+						was_error = SDL_TRUE;
+						goto done;
+					}
+				}
+			}
 #if SDL_BYTEORDER == SDL_BIG_ENDIAN
 			/* Byte-swap the pixels if needed. Note that the 24bpp
 			   case has already been taken care of above. */
openSUSE Build Service is sponsored by
Places