SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has a heap-based buffer over-read in BlitNtoN in video/SDL_blit_N.c when called from SDL_SoftBlit in video/SDL_blit.c. Upstream bug: https://bugzilla.libsdl.org/show_bug.cgi?id=4538
Created SDL tracking bugs for this issue: Affects: fedora-all [bug 1747238]
Please note that the affected code also exists in SDL_image-1.2.12 package as linked in the upstream bug report.
Upstream patches: https://hg.libsdl.org/SDL/rev/e7ba650a643a [SDL2] https://hg.libsdl.org/SDL/rev/ad1bbfbca760 [SDL-1.2] https://hg.libsdl.org/SDL_image/rev/a59bfe382008 [SDL_Image]
Created SDL2 tracking bugs for this issue: Affects: epel-7 [bug 1754006] Affects: fedora-all [bug 1754008] Created mingw-SDL2 tracking bugs for this issue: Affects: epel-7 [bug 1754007] Affects: fedora-all [bug 1754009]
Function SDL_LoadBMP_RW() in SDL_bmp.c does not properly validate images, thus it is possible for the width of the BMP to be negative and cause a heap-based buffer overflow in function SDL_BlitCopy() in SDL_blit.c, called e.g. during function SDL_ConvertSurface(). Function SDL_BlitCopy() copies bytes from a src buffer to a destination one and it uses the width of the image to compute the number of bytes to copy. The same issue is present in other functions like BlitNtoN() and similar. An attacker who can provide a malicious image to an application that uses SDL to parse BMP files could use this flaw to make the application crash or possibly execute code.
Mitigation: If the application accepts untrusted BMP files there is no known mitigation apart from applying the patch.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3951 https://access.redhat.com/errata/RHSA-2019:3951
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3950 https://access.redhat.com/errata/RHSA-2019:3950
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13616
This CVE was not fixed via RHSA-2019:3950 https://access.redhat.com/errata/RHSA-2019:3950 in Red Hat Enterprise Linux 7 as claimed. A new CVE, CVE-2019-14906, has been assigned to address this issue.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0293 https://access.redhat.com/errata/RHSA-2020:0293