Today, Talos is disclosing two vulnerabilities that have been identified in the Simple DirectMedia Layer library. Simple DirectMedia Layer (SDL) is a cross-platform development library designed for use in video playback software, emulators, and games by providing low level access to audio, keyboard, mouse, joystick, and graphics hardware. SDL, via its SDL_image library, also has the capability to handle various image formats such as XCF, the default layered image format for GIMP.

An attacker could compromise a user by exploiting one of these vulnerabilities via a specifically crafted file that SDL would handle, such as a XCF file.

Given that numerous applications make use of SDL, Talos has coordinated with the SDL community to disclose these vulnerabilities and ensure that an updated version of the library is available to use.

Vulnerability Details Both vulnerabilities highlighted in this post were identified by Yves Younan.

CVE-2017-2887/TALOS-2017-0394 - Simple DirectMedia Layer SDL_image XCF Property Handling Code Execution Vulnerability
A buffer overflow vulnerability has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests due to insufficient validation of data read from a file and subsequent use of the data. In this case, the `id` and `length` attributes read from an XCF image file are used without validation, potentially resulting in a stack-based buffer overflow.

CVE-2017-2888/TALOS-2017-0395 - Simple DirectMedia Layer Create RGB Surface Code Execution Vulnerability
An integer overflow vulnerability has been identified which could lead to arbitrary code execution on an affected host. This vulnerability manifests when creating a new RGB surface via a call to the `CreateRGBSurface` function. A sufficiently large width and height value passed to this function could cause a multiplication operation to overflow, thus resulting in too little memory being allocated. Subsequent writes would then be out-of-bounds.

For the full technical details of these vulnerabilities, please visit the Vulnerability Reports portal on our website.

Coverage Talos has released the following Snort rules to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules: 43855-43856, 43858, 43860