Headline
CVE-2022-27470: More integer overflow (see bug #187) · libsdl-org/SDL_ttf@db1b41a
SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memory write via the function TTF_RenderText_Solid(). This vulnerability is triggered via a crafted TTF file.
@@ -1257,7 +1257,7 @@ static SDL_Surface* Create_Surface_Solid(int width, int height, SDL_Color fg, Ui */ void *pixels, *ptr; /* Worse case at the end of line pulling ‘alignment’ extra blank pixels */ Sint64 pitch = width + alignment; Sint64 pitch = (Sint64)width + (Sint64)alignment; pitch += alignment; pitch &= ~alignment; size = height * pitch + sizeof (void *) + alignment; @@ -1321,7 +1321,7 @@ static SDL_Surface* Create_Surface_Shaded(int width, int height, SDL_Color fg, S */ void *pixels, *ptr; /* Worse case at the end of line pulling ‘alignment’ extra blank pixels */ Sint64 pitch = width + alignment; Sint64 pitch = (Sint64)width + (Sint64)alignment; pitch += alignment; pitch &= ~alignment; size = height * pitch + sizeof (void *) + alignment; @@ -1418,7 +1418,7 @@ static SDL_Surface *Create_Surface_Blended(int width, int height, SDL_Color fg, Sint64 size; void *pixels, *ptr; /* Worse case at the end of line pulling ‘alignment’ extra blank pixels */ Sint64 pitch = (width + alignment) * 4; Sint64 pitch = ((Sint64)width + (Sint64)alignment) * 4; pitch += alignment; pitch &= ~alignment; size = height * pitch + sizeof (void *) + alignment;
Related news
Gentoo Linux Security Advisory 202407-2 - A vulnerability has been discovered in SDL_ttf, which can lead to arbitrary memory writes. Versions greater than or equal to 2.20.0 are affected.
ARM mbed product Version 6.3.0 is vulnerable to integer wrap-around in malloc_wrapper function, which can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.