We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 5408

Summary: [Patch] Use after free in KMSDRM_VideoInit
Product: SDL Reporter: Mathieu Eyraud <meyraud705>
Component: videoAssignee: Manuel Alfayate Corchete <redwindwanderer>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2 CC: redwindwanderer
Version: 2.0.14   
Hardware: x86_64   
OS: Linux   
Attachments: move SDL_free at the end

Description Mathieu Eyraud 2020-12-21 10:58:04 UTC 
Created attachment 4594 [details]
move SDL_free at the end

KMSDRM_VideoInit uses variable 'dispdata' after it is freed:

in KMSDRM_VideoInit:
 - dispdata is allocated on line 1557.
 - call KMSDRM_DisplayDataInit on line 1575.
   
   in KMSDRM_DisplayDataInit:
     - in case of error, 'dispdata' is freed on line 1243

return to KMSDRM_VideoInit:
 - KMSDRM_DisplayDataInit returned an error so go to 'cleanup' on line 1603.
 - use of dispdata on line 1607

Attached a patch that move SDL_free at the end of KMSDRM_VideoInit.
Comment 1 Manuel Alfayate Corchete 2020-12-21 17:36:43 UTC 
@Mathieu

Thanks for this. It seems I tend to forget these small details, so patches like this are VERY welcome for me.

I have included this patch on my latest hg push.
Comment 2 Sam Lantinga 2020-12-21 17:42:52 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL/rev/077bbd54eff2