We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2332 - QZ_SetGammaRamp: Out-of-bounds memory access
Summary: QZ_SetGammaRamp: Out-of-bounds memory access
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: video (show other bugs)
Version: 1.2.15
Hardware: x86 Mac OS X (All)
: P2 critical
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-02 01:58 UTC by Seth Willits
Modified: 2014-05-18 01:46 UTC (History)
1 user (show)

See Also:

Attachments
Bad gamma curves caused by this bug (135.64 KB, image/jpeg)
2014-01-02 01:58 UTC, Seth Willits 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Seth Willits 2014-01-02 01:58:05 UTC 
Created attachment 1509 [details]
Bad gamma curves caused by this bug

QZ_SetGammaRamp creates gamma LUTs that are only *255* large, but then sets the 256th element. This has obvious negative side effects.

Simply changing tableSize to 256 fixes the potential crash and fixes problems where incorrect gamma curves are set.



int QZ_SetGammaRamp (_THIS, Uint16 *ramp)
{
    const uint32_t tableSize = 256; // CRITICAL FIX -- it was 255
    CGGammaValue redTable[tableSize];
    CGGammaValue greenTable[tableSize];
    CGGammaValue blueTable[tableSize];
Comment 1 Ryan C. Gordon 2014-05-18 01:46:05 UTC 
This was fixed on April 17th, 2013, here...

    https://hg.libsdl.org/SDL/rev/f7fd5c3951b9

...but has not made it into an official 1.2 release (and later patches have completely disabled QZ_SetGammaRamp() as it uses a deprecated OS X API that would crash some drivers on modern Macs).

--ryan.