We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4305 - Segmentation fault from SDL_Render.c from stack overallocation using SDL_stack_alloc in SDL_RenderDrawPoints()
Summary: Segmentation fault from SDL_Render.c from stack overallocation using SDL_stac...
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: render (show other bugs)
Version: 2.0.8
Hardware: x86_64 Linux
: P2 normal
Assignee: Ryan C. Gordon
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-11 18:23 UTC by Kyle Kuhn
Modified: 2018-11-03 00:05 UTC (History)
1 user (show)

See Also:

Attachments
When compiled and linked with SDL2 on Linux, this should replicate the segmentation fault in SDL_Render.c (710 bytes, text/x-c++src)
2018-10-11 18:23 UTC, Kyle Kuhn 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kyle Kuhn 2018-10-11 18:23:00 UTC 
Created attachment 3365 [details]
When compiled and linked with SDL2 on Linux, this should replicate the segmentation fault in SDL_Render.c

I have attached a file that can recreate the bug on Linux.

Platform Information:
I am using Fedora 28 and SDL 2.08 (with the latest updates as of 11 October 2018) with a Ryzen 3 2200G and Radeon RX560 with 16 gigabytes of RAM.

How to recreate:
With everything initialized properly, create window and renderer. Heap allocate an array of SDL_Point 250,000 elements in size or greater. Use SDL_RenderDrawPoints() on the valid renderer using this list and the size provided. This will cause a segmentation fault.

Source of bug:
I did some debugging, and traced the segmentation fault back to SDL_stack_alloc() on line 1620 of SDL_render.c. I did some quick checking and found that it was trying to allocate more than 2 megabytes onto the stack, which caused a segmentation fault from an oversized stack.

Potential fix: Allocate the points on the heap instead or render directly from the buffer provided in the "const SDL_Point * points" argument. You can also add error checking to SDL_stack_alloc in order to throw NULL if it exceeds the stack space available.
Comment 1 Ryan C. Gordon 2018-10-11 18:44:50 UTC 
This is already fixed in the renderer rewrite, which will merge after 2.0.9 ships.

--ryan.
Comment 2 Kyle Kuhn 2018-10-12 16:11:32 UTC 
(In reply to Ryan C. Gordon from comment #1)
> This is already fixed in the renderer rewrite, which will merge after 2.0.9
> ships.
> 
> --ryan.

Thank you, I'll keep an eye out for it.
Comment 3 Sam Lantinga 2018-11-03 00:05:27 UTC 
This is fixed in the latest snapshot:
http://www.libsdl.org/tmp/SDL-2.0.zip