mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
a5dc0f82be
patches/packages/libksba-1.6.3-x86_64-1_slack15.0.txz: Upgraded.
Fix another integer overflow in the CRL's signature parser.
(* Security fix *)
patches/packages/sdl-1.2.15-x86_64-13_slack15.0.txz: Rebuilt.
This update fixes a heap overflow problem in video/SDL_pixels.c in SDL.
By crafting a malicious .BMP file, an attacker can cause the application
using this library to crash, denial of service, or code execution.
Thanks to marav for the heads-up.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2021-33657
(* Security fix *)
35 lines
1.2 KiB
Diff
35 lines
1.2 KiB
Diff
From d95c1a4bbd644baba748d341b03141e5f0481ae6 Mon Sep 17 00:00:00 2001
|
|
From: Sam Lantinga <slouken@libsdl.org>
|
|
Date: Tue, 30 Nov 2021 12:36:46 -0800
|
|
Subject: [PATCH] Always create a full 256-entry map in case color values are
|
|
out of range
|
|
|
|
Fixes https://github.com/libsdl-org/SDL/issues/5042
|
|
|
|
Backport of CVE-2021-33657 fix from SDL2
|
|
---
|
|
src/video/SDL_pixels.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
|
|
index 17f1a7199..d0973f217 100644
|
|
--- a/src/video/SDL_pixels.c
|
|
+++ b/src/video/SDL_pixels.c
|
|
@@ -477,7 +477,7 @@ static Uint8 *Map1to1(SDL_Palette *src, SDL_Palette *dst, int *identical)
|
|
}
|
|
*identical = 0;
|
|
}
|
|
- map = (Uint8 *)SDL_malloc(src->ncolors);
|
|
+ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
|
|
if ( map == NULL ) {
|
|
SDL_OutOfMemory();
|
|
return(NULL);
|
|
@@ -498,7 +498,7 @@ static Uint8 *Map1toN(SDL_PixelFormat *src, SDL_PixelFormat *dst)
|
|
SDL_Palette *pal = src->palette;
|
|
|
|
bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
|
|
- map = (Uint8 *)SDL_malloc(pal->ncolors*bpp);
|
|
+ map = (Uint8 *) SDL_calloc(256, bpp);
|
|
if ( map == NULL ) {
|
|
SDL_OutOfMemory();
|
|
return(NULL);
|