We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4825

Summary: OpenGL: Buffer overflow in GL_RunCommandQueue
Product: SDL Reporter: sowfelicity
Component: renderAssignee: Sam Lantinga <slouken>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2 CC: eric.t.scrivner, sowfelicity, sylvain.becker
Version: HG 2.1   
Hardware: x86_64   
OS: All   
Attachments: Reset the verts pointer.

Description sowfelicity 2019-10-13 08:47:47 UTC
Created attachment 3984 [details]
Reset the verts pointer.

SDL_RenderDrawLine overflows the verts buffer in opengl renderer.

output of valgrind:

ATTENTION: default value of option vblank_mode overridden by environment.
==19519== Conditional jump or move depends on uninitialised value(s)
==19519==    at 0x408D282: GL_RunCommandQueue (SDL_render_gl.c:1233)
==19519==    by 0x4086BD0: FlushRenderCommands (SDL_render.c:216)
==19519==    by 0x4086BD0: SDL_RenderPresent_REAL (SDL_render.c:3089)
...

src/render/opengl/SDL_render_gl.c:
                    for (i = 0; i < count; ++i, verts += 2) {
                        data->glVertex2f(verts[0], verts[1]);
                    }
...
                    #if defined(__MACOSX__) || defined(__WIN32__)
                    /* Mac OS X and Windows seem to always leave the last point open */
                    data->glVertex2f(verts[(count-1)*2], verts[(count*2)-1]);
                    #else
                    /* Linux seems to leave the right-most or bottom-most point open */
                    x1 = verts[0];
                    y1 = verts[1];
                    x2 = verts[(count-1)*2];
                    y2 = verts[(count*2)-1];
...
Comment 1 Sylvain 2019-10-13 18:53:35 UTC
Thanks fixed: https://hg.libsdl.org/SDL/rev/3276502021a5
Comment 2 Ryan C. Gordon 2020-02-17 21:39:18 UTC
*** Bug 4972 has been marked as a duplicate of this bug. ***