We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 1953 - Crash at memcpy X11_DispatchEvent(_THIS) Function

Summary: Crash at memcpy X11_DispatchEvent(_THIS) Function

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	video (show other bugs)
Version:	2.0.0
Hardware:	x86 Linux

Importance:	P2 major
Assignee:	Sam Lantinga
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-07-10 08:46 UTC by Nitz
Modified:	2013-07-11 00:58 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nitz 2013-07-10 08:46:56 UTC

In Function X11_DispatchEvent(_THIS), case SelectionNotify :
static void
X11_DispatchEvent(_THIS)
{
 // Some Code
  case SelectionNotify: {
  //Some Code
  SDL_bool expect_lf = SDL_FALSE;
                    char *start = NULL; // Initialised with NULL
                    char *scan = (char*)p.data;
                    char *fn;
                    char *uri;
                    int length = 0;
                    while (p.count--) {
                        if (!expect_lf) {
                            if (*scan==0x0D) {
                                expect_lf = SDL_TRUE;
                            } else if(start == NULL) {
                                start = scan;
                                length = 0;
                            }
                            length++;
                        } else {
                            if (*scan==0x0A && length>0) {
                                uri = malloc(length--);

                                memcpy(uri, start, length); // Problem is Here, start is still NULL if control comes to else statement without initialising the start pointer, which is wrong

                                uri[length] = 0;
                                fn = X11_URIToLocal(uri);
                                if (fn) SDL_SendDropFile(fn);
                                free(uri);
                            }
                            expect_lf = SDL_FALSE;
                            start = NULL;
                        }
                        scan++;
                    }
                }
As shown above how start pointer remains NULL, Patch for this issue would be:
                            if (*scan==0x0D) {
                                expect_lf = SDL_TRUE;
                            } 
                            if(start == NULL) {
                                start = scan;
                                length = 0;
                            }
Just replace else if statement with if.

Thanks,
Nitz

Comment 1 Sam Lantinga 2013-07-11 00:58:34 UTC

Fixed, thanks!
http://hg.libsdl.org/SDL/rev/a36ab6149a10

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.