1747237 – (CVE-2019-13616) CVE-2019-13616 SDL: heap-based buffer overflow in SDL blit functions in video/SDL_blit*.c

Bug 1747237 (CVE-2019-13616) - CVE-2019-13616 SDL: heap-based buffer overflow in SDL blit functions in video/SDL_blit*.c

Summary: CVE-2019-13616 SDL: heap-based buffer overflow in SDL blit functions in video...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-13616
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1754006 1747238 1754007 1754008 1754009 1756276 1756277 1756278 1756279 1756280 1756281 1759029 1773498
Blocks:	1747239
TreeView+	depends on / blocked

Reported:	2019-08-30 00:38 UTC by Pedro Sampaio
Modified:	2021-02-16 21:26 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A heap-based buffer overflow was discovered in SDL in the SDL_BlitCopy() function, that was called while copying an existing surface into a new optimized one, due to lack of validation while loading a BMP image in the SDL_LoadBMP_RW() function. An application that uses SDL to parse untrusted input files may be vulnerable to this flaw, which could allow an attacker to make the application crash or possibly execute code.
Clone Of:
Environment:
Last Closed:	2019-11-25 19:04:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3961	None	None	None	2019-11-25 21:37:38 UTC
Red Hat Product Errata	RHSA-2019:3950	None	None	None	2019-11-25 12:52:43 UTC
Red Hat Product Errata	RHSA-2019:3951	None	None	None	2019-11-25 12:29:23 UTC
Red Hat Product Errata	RHSA-2020:0293	None	None	None	2020-01-30 09:05:36 UTC

Description Pedro Sampaio 2019-08-30 00:38:38 UTC

SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c.

Upstream bug:

https://bugzilla.libsdl.org/show_bug.cgi?id=4538

Comment 1 Pedro Sampaio 2019-08-30 00:38:49 UTC

Created SDL tracking bugs for this issue:

Affects: fedora-all [bug 1747238]

Comment 2 Petr Pisar 2019-08-30 12:26:12 UTC

Please note that the affected code also exists in SDL_image-1.2.12 package as linked in the upstream bug report.

Comment 3 Riccardo Schirone 2019-09-20 14:16:45 UTC

Upstream patches:
https://hg.libsdl.org/SDL/rev/e7ba650a643a [SDL2]
https://hg.libsdl.org/SDL/rev/ad1bbfbca760 [SDL-1.2]
https://hg.libsdl.org/SDL_image/rev/a59bfe382008 [SDL_Image]

Comment 4 Riccardo Schirone 2019-09-20 14:20:50 UTC

Created SDL2 tracking bugs for this issue:

Affects: epel-7 [bug 1754006]
Affects: fedora-all [bug 1754008]


Created mingw-SDL2 tracking bugs for this issue:

Affects: epel-7 [bug 1754007]
Affects: fedora-all [bug 1754009]

Comment 5 Riccardo Schirone 2019-09-26 12:26:23 UTC

Function SDL_LoadBMP_RW() in SDL_bmp.c does not properly validate images, thus it is possible for the width of the BMP to be negative and cause a heap-based buffer overflow in function SDL_BlitCopy() in SDL_blit.c, called e.g. during function SDL_ConvertSurface(). Function SDL_BlitCopy() copies bytes from a src buffer to a destination one and it uses the width of the image to compute the number of bytes to copy. The same issue is present in other functions like BlitNtoN() and similar.

An attacker who can provide a malicious image to an application that uses SDL to parse BMP files could use this flaw to make the application crash or possibly execute code.

Comment 6 Riccardo Schirone 2019-09-27 08:29:15 UTC

Mitigation:

If the application accepts untrusted BMP files there is no known mitigation apart from applying the patch.

Comment 14 errata-xmlrpc 2019-11-25 12:29:19 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3951 https://access.redhat.com/errata/RHSA-2019:3951

Comment 15 errata-xmlrpc 2019-11-25 12:52:39 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3950 https://access.redhat.com/errata/RHSA-2019:3950

Comment 16 Product Security DevOps Team 2019-11-25 19:04:50 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13616

Comment 17 Riccardo Schirone 2019-11-27 15:23:26 UTC

This CVE was not fixed via RHSA-2019:3950 https://access.redhat.com/errata/RHSA-2019:3950 in Red Hat Enterprise Linux 7 as claimed.
A new CVE, CVE-2019-14906, has been assigned to address this issue.

Comment 18 errata-xmlrpc 2020-01-30 09:05:34 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0293 https://access.redhat.com/errata/RHSA-2020:0293

Note You need to log in before you can comment on or make changes to this bug.