We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 1821

Summary: IMG_LoadLBM/PNM/XCF_RW() crash with a heap corruption on loading LBM, PNM or XCF images
Product: SDL_image Reporter: Marcus von Appen <mva>
Component: miscAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: critical    
Priority: P2    
Version: unspecified   
Hardware: All   
OS: Windows 7   

Description Marcus von Appen 2013-04-24 05:51:29 UTC 
Trying to load a LBM image via any of the IMG_* functions will lead to a heap corruption on Windows 7, causing the application to crash.

The problem is caused by the usage of SDL_malloc on Win32, which by default uses dlmalloc, which in turn redefines malloc and free within the SDL address space.

The CRT heap manager hence is unaware of the pointer being allocated and will try to free an unmanaged memory segment by calling free() on the temporary buffer in IMG_LoadLBM_RW().

Patch:

--- a/IMG_lbm.c Tue Apr 23 20:15:22 2013 -0700
+++ b/IMG_lbm.c Wed Apr 24 11:36:29 2013 +0200
@@ -467,7 +467,7 @@

 done:

-       if ( MiniBuf ) free( MiniBuf );
+       if ( MiniBuf ) SDL_free( MiniBuf );

        if ( error )
        {
Comment 1 Marcus von Appen 2013-04-24 06:03:41 UTC 
The same happens in IMG_LoadPNM_RW().

Patch:

--- a/IMG_pnm.c Tue Apr 23 20:15:22 2013 -0700
+++ b/IMG_pnm.c Wed Apr 24 12:01:45 2013 +0200
@@ -229,7 +229,7 @@
                row += surface->pitch;
        }
 done:
-       free(buf);
+       SDL_free(buf);
        if(error) {
                SDL_RWseek(src, start, RW_SEEK_SET);
                if ( surface ) {
Comment 2 Marcus von Appen 2013-04-24 06:11:24 UTC 
And it also happens for IMG_LoadXCF_RW().

Patch:

--- a/IMG_xcf.c Tue Apr 23 20:15:22 2013 -0700
+++ b/IMG_xcf.c Wed Apr 24 12:10:26 2013 +0200
@@ -287,7 +287,7 @@

 static void free_xcf_header (xcf_header * h) {
   if (h->cm_num)
-    free (h->cm_map);
+    SDL_free (h->cm_map);

   free (h);
 }
@@ -359,7 +359,7 @@

 static void free_xcf_channel (xcf_channel * c) {
   free (c->name);
-  free (c);
+  SDL_free (c);
 }

 static xcf_channel * read_xcf_channel (SDL_RWops * src) {
@@ -425,8 +425,8 @@
 }

 static void free_xcf_level (xcf_level * l) {
-  free (l->tile_file_offsets);
-  free (l);
+  SDL_free (l->tile_file_offsets);
+  SDL_free (l);
 }

 static xcf_level * read_xcf_level (SDL_RWops * src) {
Comment 3 Sam Lantinga 2013-04-25 03:23:36 UTC 
Fixed, thanks!
http://hg.libsdl.org/SDL_image/rev/b2aa197f6774