| Summary: | SDL SVN 1.3 2008-12-09, win32 platform, invalid memory free in SDL_win32mouse.c | ||
|---|---|---|---|
| Product: | SDL | Reporter: | Andrew <arahome> |
| Component: | events | Assignee: | Ryan C. Gordon <icculus> |
| Status: | RESOLVED FIXED | QA Contact: | Sam Lantinga <slouken> |
| Severity: | critical | ||
| Priority: | P2 | ||
| Version: | HG 2.0 | ||
| Hardware: | x86 | ||
| OS: | Windows (All) | ||
It looks like this code was reviewed and fixed in revision 4334. Thanks! |
File SDL_win32mouse.c caused invalid memory de-allocation at line 129: SDL_free(buffer); This is caused incorrect manipulation of pointer variable "buffer" at line 96: buffer += 4; which is allocated at line 87: buffer = SDL_malloc((tmp + 1) * sizeof(char)); This bug is fixed by fast woraround adding at line 128 new line with: buffer -= 4; just before if operator Recommended to compelely review this section of code. Also line 88 looks quite incorrect: key_name = SDL_malloc(tmp + sizeof(reg_key_root) * sizeof(char)); - tmp not multiplied by sizeof(char) - size of char pointer counted instead of strlen - not counted zero string end