We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2152 - Integer overflow/underflow in SDL_RegisterApp/SDL_UnregisterApp

Summary: Integer overflow/underflow in SDL_RegisterApp/SDL_UnregisterApp

Status:	RESOLVED WONTFIX

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	events (show other bugs)
Version:	2.0.0
Hardware:	All Windows (All)

Importance:	P2 normal
Assignee:	Sam Lantinga
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-13 13:58 UTC by Coriiander
Modified:	2014-02-23 03:30 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Coriiander 2013-10-13 13:58:29 UTC

There's a bug in SDL_RegisterApp and SDL_UnregisterApp in file SDL_windowsevents.c. In there some reference counting is going on to ensure the Win32 windowclass (or application class as you will) only gets registered once upon first class registration and only gets unregistered once upon last class unregistration. As there is no bounds checking being performed, the reference counter can overflow/underflow. If this happens you'll have a memory leak, because SDL_Appname will then not be freed in SDL_UnregisterApp.

In SDL_RegisterApp:
/* Only do this once... */
    if (app_registered) {
        ++app_registered;
        return (0);
    }

I'm aware that in normal situations this function shouldn't be called this often, but if it's called beyond INT_MAX times, then the reference counter will go below zero. Not only will this make unregistration of the window class/application class impossible in SDL_UnregisterApp, this will also lead to a memory leak since SDL_AppName will not be freed. While I'd consider a memory leak serious undesired, the failure of not unregistring the window class/application class is less problematic as the Win32 API will do this for you automatically on program shutdown.

To fix this I suggest to do some bounds checking in both functions. Like so:
    if (app_registered) {
        if (INT_MAX > app_registered)
        {
          ++app_registered;
        }
        else
        {
          /* FAIL, Set error or something. It's a void function not being able to return success state */
          return;
        }
        return (0);
    }

Comment 1 Sam Lantinga 2014-02-23 03:30:05 UTC

You're absolutely correct, although the likelihood of it hitting INT_MAX is very low, and the consequences aren't significant. If you run into a real world case where this is an issue, please reopen this bug.

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.