| Summary: | SDL 1.2.14 + Wacom Bamboo CTH-460 -> crash due to heap corruption | ||
|---|---|---|---|
| Product: | SDL | Reporter: | Lockal <lockalsash> |
| Component: | joystick | Assignee: | Sam Lantinga <slouken> |
| Status: | RESOLVED FIXED | QA Contact: | Sam Lantinga <slouken> |
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 1.2.14 | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| Attachments: |
Valgrind log
Log for SDL_PrivateJoystickButton |
||
|
Description
Lockal
2011-11-26 06:24:47 UTC
What is the output of testjoystick with this tablet connected? There are 1 joysticks attached
Joystick 0: btnx keyboard
axes: 0
balls: 0
hats: 0
buttons: 159
Watching joystick 0: (btnx keyboard)
Joystick has 0 axes, 0 hats, 0 balls, and 159 buttons
Joystick 0 button 0 up
Joystick 0 button 1 up
Joystick 0 button 2 up
.....
Joystick 0 button 123 up
Joystick 0 button 124 up
Joystick 0 button 125 up
----
After that testjoystick does not output and handle any clicks. And that's for mx revolution mouse. Valgrind log is the same.
I've investigated the log and found that read() call in JS_HandleEvents function reads too much. It reads 32 of js_event structures. For each structure it calls SDL_PrivateJoystickButton(joystick, events[i].number, events[i].value); where events[i].value = 0 and events[i].number is from 0 to 31. Then it calls read(joystick->hwdata->fd ...) again and calls SDL_PrivateJoystickButton with events[i].number = 32-63.
At some moment events[i].number reaches 159 (joystick->nbuttons is 159), but read function still continues to read. SDL_PrivateJoystickButton with events[i].number == 159 is called and that call produces "Invalid write of size 1". Then read() fetches data until events[i].number == 255 and only then it stops.
So my wacom device is not to blame. However my MX Revolution Mouse is not a joystick and the number of buttons is not 159.
Interesting, it looks like a keyboard is being detected as a joystick. What kind of keyboard do you have? I have an ordinary Kraftway PS/2 keyboard. The problem is with my Logitech MX Revolution mouse, which uses small btnx daemon (https://launchpad.net/btnx) to enable rerouting of mouse button events through uinput as keyboard and other mouse button combinations. http://bazaar.launchpad.net/~vcs-imports/btnx/trunk/view/head:/src/uinput.c#L52 creates 2 fake devices: mouse and keyboard and registers them with uinput. That's why sdl detects it as a keyboard. I looked over the code and it should handle a "joystick" with 0 axes and 159 buttons with no problems. Can you grab the latest snapshot and add a print statement to SDL_PrivateJoystickButton() to print out what button is being pressed? http://www.libsdl.org/tmp/SDL-1.2.zip Created attachment 755 [details]
Log for SDL_PrivateJoystickButton
The dirty workaround is to add
if (button < joystick->nbuttons)
before line
joystick->buttons[button] = state;
in SDL_joystick.c. No more invalid writes as I see.
This can be the problem of btnx, but btnx project seems to be dead. There are some other reports about btnx and SDL for DOSBOX (http://ubuntuforums.org/showthread.php?t=1670492), Eduke32 (http://forums.duke4.net/topic/3073-eduke32-wont-start-in-ubuntu/), XBMC (http://forum.xbmc.org/archive/index.php/t-93491.html) and few other programs (https://www.google.com/search?q=%22btnx%20keyboard%22%20sdl).
Fixed, thanks! It was fixed in this revision: http://hg.libsdl.org/SDL/rev/20d04c674a08 |