We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4825 - OpenGL: Buffer overflow in GL_RunCommandQueue

Summary: OpenGL: Buffer overflow in GL_RunCommandQueue

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	render (show other bugs)
Version:	HG 2.1
Hardware:	x86_64 All

Importance:	P2 normal
Assignee:	Sam Lantinga
QA Contact:	Sam Lantinga

URL:
Keywords:

Duplicates (1):	4972 (view as bug list)
Depends on:
Blocks:

Reported:	2019-10-13 08:47 UTC by sowfelicity
Modified:	2020-02-17 21:39 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Reset the verts pointer. (572 bytes, patch) 2019-10-13 08:47 UTC, sowfelicity	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description sowfelicity 2019-10-13 08:47:47 UTC

Created attachment 3984 [details]
Reset the verts pointer.

SDL_RenderDrawLine overflows the verts buffer in opengl renderer.

output of valgrind:

ATTENTION: default value of option vblank_mode overridden by environment.
==19519== Conditional jump or move depends on uninitialised value(s)
==19519==    at 0x408D282: GL_RunCommandQueue (SDL_render_gl.c:1233)
==19519==    by 0x4086BD0: FlushRenderCommands (SDL_render.c:216)
==19519==    by 0x4086BD0: SDL_RenderPresent_REAL (SDL_render.c:3089)
...

src/render/opengl/SDL_render_gl.c:
                    for (i = 0; i < count; ++i, verts += 2) {
                        data->glVertex2f(verts[0], verts[1]);
                    }
...
                    #if defined(__MACOSX__) || defined(__WIN32__)
                    /* Mac OS X and Windows seem to always leave the last point open */
                    data->glVertex2f(verts[(count-1)*2], verts[(count*2)-1]);
                    #else
                    /* Linux seems to leave the right-most or bottom-most point open */
                    x1 = verts[0];
                    y1 = verts[1];
                    x2 = verts[(count-1)*2];
                    y2 = verts[(count*2)-1];
...

Comment 1 Sylvain 2019-10-13 18:53:35 UTC

Thanks fixed: https://hg.libsdl.org/SDL/rev/3276502021a5

Comment 2 Ryan C. Gordon 2020-02-17 21:39:18 UTC

*** Bug 4972 has been marked as a duplicate of this bug. ***

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.