| Summary: | IMG_LoadLBM/PNM/XCF_RW() crash with a heap corruption on loading LBM, PNM or XCF images | ||
|---|---|---|---|
| Product: | SDL_image | Reporter: | Marcus von Appen <mva> |
| Component: | misc | Assignee: | Sam Lantinga <slouken> |
| Status: | RESOLVED FIXED | QA Contact: | Sam Lantinga <slouken> |
| Severity: | critical | ||
| Priority: | P2 | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Windows 7 | ||
The same happens in IMG_LoadPNM_RW().
Patch:
--- a/IMG_pnm.c Tue Apr 23 20:15:22 2013 -0700
+++ b/IMG_pnm.c Wed Apr 24 12:01:45 2013 +0200
@@ -229,7 +229,7 @@
row += surface->pitch;
}
done:
- free(buf);
+ SDL_free(buf);
if(error) {
SDL_RWseek(src, start, RW_SEEK_SET);
if ( surface ) {
And it also happens for IMG_LoadXCF_RW().
Patch:
--- a/IMG_xcf.c Tue Apr 23 20:15:22 2013 -0700
+++ b/IMG_xcf.c Wed Apr 24 12:10:26 2013 +0200
@@ -287,7 +287,7 @@
static void free_xcf_header (xcf_header * h) {
if (h->cm_num)
- free (h->cm_map);
+ SDL_free (h->cm_map);
free (h);
}
@@ -359,7 +359,7 @@
static void free_xcf_channel (xcf_channel * c) {
free (c->name);
- free (c);
+ SDL_free (c);
}
static xcf_channel * read_xcf_channel (SDL_RWops * src) {
@@ -425,8 +425,8 @@
}
static void free_xcf_level (xcf_level * l) {
- free (l->tile_file_offsets);
- free (l);
+ SDL_free (l->tile_file_offsets);
+ SDL_free (l);
}
static xcf_level * read_xcf_level (SDL_RWops * src) {
Fixed, thanks! http://hg.libsdl.org/SDL_image/rev/b2aa197f6774 |
Trying to load a LBM image via any of the IMG_* functions will lead to a heap corruption on Windows 7, causing the application to crash. The problem is caused by the usage of SDL_malloc on Win32, which by default uses dlmalloc, which in turn redefines malloc and free within the SDL address space. The CRT heap manager hence is unaware of the pointer being allocated and will try to free an unmanaged memory segment by calling free() on the temporary buffer in IMG_LoadLBM_RW(). Patch: --- a/IMG_lbm.c Tue Apr 23 20:15:22 2013 -0700 +++ b/IMG_lbm.c Wed Apr 24 11:36:29 2013 +0200 @@ -467,7 +467,7 @@ done: - if ( MiniBuf ) free( MiniBuf ); + if ( MiniBuf ) SDL_free( MiniBuf ); if ( error ) {