We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3873 - Buffer overflow on SDL_INIT_GAMECONTROLLER

Summary: Buffer overflow on SDL_INIT_GAMECONTROLLER

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	joystick (show other bugs)
Version:	HG 2.0
Hardware:	x86 Other

Importance:	P2 normal
Assignee:	Sam Lantinga
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-11 18:58 UTC by Ryan C. Gordon
Modified:	2017-10-11 20:27 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryan C. Gordon 2017-10-11 18:58:34 UTC

AddressSanitizer finds a buffer overflow on SDL_Init(SDL_INIT_GAMECONTROLLER) ... tested against revision 11596:9d8ea0382c52


#include "SDL.h"
void main(void) { SDL_Init(SDL_INIT_GAMECONTROLLER); }



ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d438 at pc 0x000103289c35 bp 0x7fff5c9a8450 sp 0x7fff5c9a8448
WRITE of size 8 at 0x60200000d438 thread T0
    #0 0x103289c34 in SDL_AddEventWatch_REAL SDL_events.c:809
    #1 0x103298ec8 in SDL_GameControllerInit SDL_gamecontroller.c:1226
    #2 0x10326315c in SDL_InitSubSystem_REAL SDL.c:211
    #3 0x103257f68 in main (x:x86_64+0x100000f68)
    #4 0x7fff8d135234 in start (libdyld.dylib:x86_64+0x5234)

0x60200000d438 is located 0 bytes to the right of 8-byte region [0x60200000d430,0x60200000d438)
allocated by thread T0 here:
    #0 0x103645680 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x56680)
    #1 0x103289b90 in SDL_AddEventWatch_REAL SDL_events.c:802
    #2 0x103298ec8 in SDL_GameControllerInit SDL_gamecontroller.c:1226
    #3 0x10326315c in SDL_InitSubSystem_REAL SDL.c:211
    #4 0x103257f68 in main (x:x86_64+0x100000f68)
    #5 0x7fff8d135234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow SDL_events.c:809 in SDL_AddEventWatch_REAL
Shadow bytes around the buggy address:
  0x1c0400001a30: fa fa 00 00 fa fa 00 00 fa fa 00 07 fa fa 00 07
  0x1c0400001a40: fa fa 00 07 fa fa 00 07 fa fa 00 04 fa fa 00 06
  0x1c0400001a50: fa fa 00 07 fa fa 00 00 fa fa fd fd fa fa fd fd
  0x1c0400001a60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c0400001a70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 03 fa
=>0x1c0400001a80: fa fa fd fd fa fa 00[fa]fa fa fa fa fa fa fa fa
  0x1c0400001a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400001ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Comment 1 Kai Sterker 2017-10-11 19:12:30 UTC

Possibly related, after updating to latest hg (11596:9d8ea0382c52), I get a crash on exit.

Thread 1 "adonthell-0.3" received signal SIGABRT, Aborted.
0x00007ffff5f31428 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
54	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff5f31428 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff5f3302a in __GI_abort () at abort.c:89
#2  0x00007ffff5f737ea in __libc_message (do_abort=do_abort@entry=2, 
    fmt=fmt@entry=0x7ffff608ce98 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff5f7c37a in malloc_printerr (ar_ptr=<optimised out>, 
    ptr=<optimised out>, 
    str=0x7ffff608cf10 "free(): invalid next size (fast)", action=3)
    at malloc.c:5006
#4  _int_free (av=<optimised out>, p=<optimised out>, have_lock=0)
    at malloc.c:3867
#5  0x00007ffff5f8053c in __GI___libc_free (mem=<optimised out>)
    at malloc.c:2968
#6  0x00007ffff7ab806a in SDL_StopEventLoop ()
    at /home/kai/adonthell/dev/SDL/src/events/SDL_events.c:377
#7  0x00007ffff7a98e4a in SDL_QuitSubSystem_REAL (flags=<optimised out>, 
    flags@entry=16384) at /home/kai/adonthell/dev/SDL/src/SDL.c:313
#8  0x00007ffff7ac6158 in SDL_JoystickQuit ()
    at /home/kai/adonthell/dev/SDL/src/joystick/SDL_joystick.c:564
#9  0x00007ffff7a98fe0 in SDL_QuitSubSystem_REAL (flags=29233)
    at /home/kai/adonthell/dev/SDL/src/SDL.c:264
#10 SDL_Quit_REAL () at /home/kai/adonthell/dev/SDL/src/SDL.c:354
---Type <return> to continue, or q <return> to quit--- 
#11 0x000000000047de09 in main ()

Might be something different, as I cannot reproduce it with the SDL test programs (tried both testgamecontroller and testdraw2), but smells like a memory issue to me.

Comment 2 Sam Lantinga 2017-10-11 20:27:54 UTC

Fixed!
https://hg.libsdl.org/SDL/rev/7ee20a756f96

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.