Researchers at Cisco’s Talos security intelligence and research group have discovered two high severity remote code execution vulnerabilities in Simple DirectMedia Layer (SDL), a popular cross-platform development library.
SDL provides low level access to audio, mouse, keyboard, joystick and graphics hardware, making it ideal for developing games, emulators and video playback software. The library has been used for the development of hundreds of games, including ones made by Valve, and the VLC media player.
Cisco Talos researcher Yves Younan discovered that SDL is affected by memory corruption vulnerabilities that can be exploited remotely to execute arbitrary code on the host by using specially crafted files that the library would process.
The attack scenarios described by Talos in its advisories involve XCF files designed to trigger the vulnerabilities. XCF is the native image format of the popular image-editing tool GIMP.
One of the flaws is an integer overflow (CVE-2017-2888) that can be triggered when creating a new RGB surface via a call to the “CreateRGBSurface” function.
“A sufficiently large width and height value passed to this function could cause a multiplication operation to overflow, thus resulting in too little memory being allocated. Subsequent writes would then be out-of-bounds,” Cisco said in its advisory.
The second vulnerability is a buffer overflow (CVE-2017-2887) that exists in the XCF property handling functionality of the SDL_image image file loading library.
“This vulnerability manifests due to insufficient validation of data read from a file and subsequent use of the data. In this case, the `id` and `length` attributes read from an XCF image file are used without validation, potentially resulting in a stack-based buffer overflow,” Cisco said.
The vulnerabilities affect SDL 2.0.5 and SDL_image 2.0.1. Cisco said the flaws were patched with the release of SDL 2.0.6, but the release notes for this version don’t mention any security fixes.
Related: Code Execution Vulnerabilities Patched in FreeRDP
