Hide Forgot
An exploitable integer overflow vulnerability exists when creating a new RGB Surface in SDL 2.0.5. A specially crafted file can cause an integer overflow resulting in too little memory being allocated which can lead to a buffer overflow and potential code execution. An attacker can provide a specially crafted image file to trigger this vulnerability. External References: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395
Created SDL tracking bugs for this issue: Affects: fedora-all [bug 1500624] Created mingw-SDL tracking bugs for this issue: Affects: fedora-all [bug 1500625]
This appears to be the patch: http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 PLEASE NOTE: Simply applying the patch will not work with F26, as the compiler appears to optimize the check away. Set the "-fno-strict-overflow" compiler flag to prevent this.
Created SDL2 tracking bugs for this issue: Affects: epel-7 [bug 1500735] Affects: fedora-all [bug 1500734]
SDL1 has the following check and should not be vulnerable: > /* Make sure the size requested doesn't overflow our datatypes */ > /* Next time I write a library like SDL, I'll use int for size. :) */ > if ( width >= 16384 || height >= 65536 ) { > SDL_SetError("Width or height is too large"); > return(NULL); > }
(In reply to Stefan Cornelius from comment #2) > This appears to be the patch: > http://hg.libsdl.org/SDL/rev/7e0f1498ddb5 > > PLEASE NOTE: Simply applying the patch will not work with F26, as the > compiler appears to optimize the check away. Set the "-fno-strict-overflow" > compiler flag to prevent this. Ugh, is there some better way of doing this?
Created attachment 1337656 [details] Ugly patch based on secure coding guide This is an ugly patch (the new functions and includes should probably have their own header etc) roughly based on what the CERT Secure Coding Guide recommends. Should work with most compilers, though. Not extensively tested, so no guarantees that this is indeed correct.
Created attachment 1337658 [details] Patch using a builtin compiler function This one uses a builtin compiler function - gcc and llvm should support this, not sure about other compilers, though. Not extensively tested, so no guarantees that this is indeed correct.
Statement: This issue did not affect the versions of SDL as shipped with Red Hat Enterprise Linux 5, 6, and 7.
See: https://hg.libsdl.org/SDL/rev/81a4950907a0
(In reply to Stefan Cornelius from comment #9) > Statement: > > This issue did not affect the versions of SDL as shipped with Red Hat > Enterprise Linux 5, 6, and 7. Why would I care about those distributions when I'm working on Fedora?
(In reply to Salvatore Bonaccorso from comment #10) > See: https://hg.libsdl.org/SDL/rev/81a4950907a0 Thanks a lot! Applied and building.