You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This bug report was migrated from our old Bugzilla tracker.
Reported in version: 2.0.0 Reported for operating system, platform: Linux, x86
Comments on the original bug report:
On 2013-08-21 13:24:47 +0000, Donny wrote:
I'm hitting an infinite loop in SDL_GetErrorMsg in SDL_error.c
Happens in while loop @ line 141 (SDL2-2.0.0 release tarball)
On 2013-09-07 06:47:45 +0000, Sam Lantinga wrote:
What's the error message that it's trying to parse?
Can you print out the entire error structure?
Thanks!
On 2014-02-23 05:49:13 +0000, Ryan C. Gordon wrote:
I can't see a way this loop would be infinite, but you can definitely jump off the end of the format string if it ends with a '%' char.
The "switch (spot[-2])" should have a "case '\0'" section that bails out in this case.
--ryan.
On 2014-02-23 05:59:39 +0000, Ryan C. Gordon wrote:
And I guess if SDL_snprintf() returns a negative number, which it does with some C runtimes, we have issues, too. Maybe in a pathological case, we write before the start of a stack array and it replaces fmt with a valid pointer that keeps pushing us into a loop that writes over fmt again?
On other C runtimes, SDL_snprintf() returns characters it would have written if there were space, which means we'll probably overflow the other end of the array on those systems.
In either case, we check if maxlen > 0, but it's unsigned, so either bug will probably cause it to grow or wrap around to 0xFFFFFFFF.
It's the best I've got. These are real bugs in any case, even if we can't to the infinite loop.
--ryan.
On 2015-02-19 05:22:21 +0000, Ryan C. Gordon wrote:
Marking a large number of bugs with the "triage-2.0.4" keyword at once. Sorry if you got a lot of email from this. This is to help me sort through some bugs in regards to a 2.0.4 release. We may or may not fix this bug for 2.0.4, though!
On 2015-03-24 06:50:23 +0000, Ryan C. Gordon wrote:
Going to fix those concerns and close this bug.
--ryan.
On 2015-03-24 06:57:45 +0000, Ryan C. Gordon wrote:
(In reply to Ryan C. Gordon from comment # 2)
I can't see a way this loop would be infinite, but you can definitely jump
off the end of the format string if it ends with a '%' char.
The "switch (spot[-2])" should have a "case '\0'" section that bails out in
this case.
This one can't happen, I think; SDL_SetError() checks for this case, and it looks like maybe this will happen to push past this bogus char elsewhere in the loop anyhow.
--ryan.
On 2015-03-24 07:15:19 +0000, Ryan C. Gordon wrote:
(In reply to Ryan C. Gordon from comment # 3)
In either case, we check if maxlen > 0, but it's unsigned, so either bug
will probably cause it to grow or wrap around to 0xFFFFFFFF.
Made maxlen signed, made sure we ignore snprintf() results unless they're > 0, make sure if snprintf() reports a number larger than the amount it wrote that we don't overflow our output buffer.
https://hg.libsdl.org/SDL/rev/92622f92bb8c
Marking this FIXED. Please reopen if this bug still presents for you, but I suspect this will take care of the problem.
--ryan.
The text was updated successfully, but these errors were encountered:
This bug report was migrated from our old Bugzilla tracker.
Reported in version: 2.0.0
Reported for operating system, platform: Linux, x86
Comments on the original bug report:
On 2013-08-21 13:24:47 +0000, Donny wrote:
On 2013-09-07 06:47:45 +0000, Sam Lantinga wrote:
On 2014-02-23 05:49:13 +0000, Ryan C. Gordon wrote:
On 2014-02-23 05:59:39 +0000, Ryan C. Gordon wrote:
On 2015-02-19 05:22:21 +0000, Ryan C. Gordon wrote:
On 2015-03-24 06:50:23 +0000, Ryan C. Gordon wrote:
On 2015-03-24 06:57:45 +0000, Ryan C. Gordon wrote:
On 2015-03-24 07:15:19 +0000, Ryan C. Gordon wrote:
The text was updated successfully, but these errors were encountered: