We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 1533 - SDL_Keycode value range allows segfaults with negative values

Summary: SDL_Keycode value range allows segfaults with negative values

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	events (show other bugs)
Version:	HG 2.0
Hardware:	All All

Importance:	P2 normal
Assignee:	Andreas Schiffler
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-07-03 01:48 UTC by Marcus von Appen
Modified:	2013-03-09 02:08 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
SDL_GetKeyName() patch (584 bytes, application/octet-stream) 2012-07-03 01:48 UTC, Marcus von Appen	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus von Appen 2012-07-03 01:48:20 UTC

Created attachment 893 [details]
SDL_GetKeyName() patch

SDL_Keycode is defined as Sint32, although the mapping tables for keycodes and scancodes indicate that there is no need to have negative keycode values.

The missing range definition can cause an index overflow in SDL_GetKeyName()/SDL_GetScancodeName(), when an improper (key & ~SDLK_SCANCODE_MASK) value is passed around.

Test program:

#include <SDL.h>
int main (int argc, char *argv[])
{
    SDL_Keycode val = -88; /* perfectly valid (technical) assignment */
    printf ("'%d'\n", ((SDL_Scancode)(val & ~SDLK_SCANCODE_MASK)));
    printf ("'%s'\n", SDL_GetKeyName (val));
    return 0;
}

Fixes:

1) redefine typedef Sint32 SDL_Keycode; to typedef Uint32 SDL_Keycode;
This will warn developers at compile time about improper value usage.
2) use the attached patch to do a proper range check for SDL_Scancode results in SDL_GetKeyName().

Comment 1 Andreas Schiffler 2013-03-08 22:48:42 UTC

Assigning to myself to fix and add test coverage.

Comment 2 Andreas Schiffler 2013-03-09 02:08:47 UTC

Added range checking and test cases.
http://hg.libsdl.org/SDL/rev/b72f56ab9867

Since ABI is locked, we don't want to change the typedef at this point.

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.