We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3872

Summary: Out of bound access in SDL_CreateRenderer (inside SDL_events.c)
Product: SDL Reporter: Andrei Karas <akaras>
Component: videoAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: major    
Priority: P2 CC: bastien.bouclet, sezeroz
Version: HG 2.0   
Hardware: x86_64   
OS: Linux   

Description Andrei Karas 2017-10-11 18:02:52 UTC 
Issue detected in default HG branch. Current changeset 11593:b5e404b928ea

Stack and some messages from testnative with valgrind:
INFO: Creating native window for x11 driver
==2397== Invalid write of size 8
==2397==    at 0x4E7164A: SDL_AddEventWatch_REAL (SDL_events.c:809)
==2397==    by 0x4E824E8: SDL_CreateRenderer_REAL (SDL_render.c:342)
==2397==    by 0x401076: main (testnative.c:170)
==2397==  Address 0x11b601a8 is 0 bytes after a block of size 8 alloc'd
==2397==    at 0x4C2BADF: malloc (vg_replace_malloc.c:298)
==2397==    by 0x4C2DE5F: realloc (vg_replace_malloc.c:785)
==2397==    by 0x4E7161F: SDL_AddEventWatch_REAL (SDL_events.c:802)
==2397==    by 0x4E824E8: SDL_CreateRenderer_REAL (SDL_render.c:342)
==2397==    by 0x401076: main (testnative.c:170)
==2397== 
==2397== Invalid write of size 4
==2397==    at 0x4E7164E: SDL_AddEventWatch_REAL (SDL_events.c:810)
==2397==    by 0x4E824E8: SDL_CreateRenderer_REAL (SDL_render.c:342)
==2397==    by 0x401076: main (testnative.c:170)
==2397==  Address 0x11b601b0 is 8 bytes after a block of size 8 alloc'd
==2397==    at 0x4C2BADF: malloc (vg_replace_malloc.c:298)
==2397==    by 0x4C2DE5F: realloc (vg_replace_malloc.c:785)
==2397==    by 0x4E7161F: SDL_AddEventWatch_REAL (SDL_events.c:802)
==2397==    by 0x4E824E8: SDL_CreateRenderer_REAL (SDL_render.c:342)
==2397==    by 0x401076: main (testnative.c:170)
==2397== 
X Error of failed request:  BadWindow (invalid Window parameter)
  Major opcode of failed request:  148 ()
  Minor opcode of failed request:  1
  Resource id in failed request:  0x8400001
  Serial number of failed request:  662
  Current serial number in output stream:  663


Similar issue detected in own code with asan:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000d91b8 at pc 0x7f80f23e4428 bp 0x7ffd39a70600 sp 0x7ffd39a705f8
WRITE of size 8 at 0x6020000d91b8 thread T0
    #0 0x7f80f23e4427 in SDL_AddEventWatch_REAL /mnt/src/spm/tmp/SDL2/src/events/SDL_events.c:809
    #1 0x7f80f242ab51 in SDL_CreateRenderer_REAL /mnt/src/spm/tmp/SDL2/src/render/SDL_render.c:342
    #2 0x1278fd6 in GraphicsManager::createRenderer(SDL_Window*, int) ../../../src/graphicsmanager.cpp:624


And look like related error, from CI:
==20830==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa8c96269e5 sp 0x7ffef9738850 bp 0x000000000030 T0)
    #0 0x7fa8c96269e4 in SDL_PushEvent_REAL /usr/local/spm/tmp/SDL2/src/events/SDL_events.c:724
    #1 0x7fa8c962d61a in SDL_SendWindowEvent /usr/local/spm/tmp/SDL2/src/events/SDL_windowevents.c:215
    #2 0x7fa8c96c2b0d in SDL_CreateWindow_REAL /usr/local/spm/tmp/SDL2/src/video/SDL_video.c:1495

Ci set env variable SDL_VIDEODRIVER=dummy.
Comment 1 bastien.bouclet 2017-10-11 19:09:06 UTC 
Looks like sizeof is called on a pointer instead of a struct when resizing the SDL_event_watchers array (when calling SDL_memmove and SDL_realloc).
Comment 2 Sam Lantinga 2017-10-11 20:27:18 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL/rev/7ee20a756f96