We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 5285 - [Patch] Heap buffer overflow in setup_plane in SDL_kmsdrmvideo.c
Summary: [Patch] Heap buffer overflow in setup_plane in SDL_kmsdrmvideo.c
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: video (show other bugs)
Version: 2.0.13
Hardware: All Linux
: P2 normal
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-13 18:45 UTC by Mathieu Eyraud
Modified: 2020-09-14 18:56 UTC (History)
1 user (show)

See Also:

Attachments
Fix size argument of calloc (1.73 KB, patch)
2020-09-13 18:45 UTC, Mathieu Eyraud 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mathieu Eyraud 2020-09-13 18:45:01 UTC 
Created attachment 4462 [details]
Fix size argument of calloc

Memory allocation for variable 'plane' in function 'setup_plane' uses size of a pointer instead of size of the structure. This result in an overflow when writing to the variable.

3 other allocations have an incorrect size parameter, but does not result in overflow.
Comment 1 Manuel Alfayate Corchete 2020-09-13 19:47:29 UTC 
Thanks! Patch merged! Hadn't noticed this... How did you notice something so subtle? Nice find, really.
Comment 2 Mathieu Eyraud 2020-09-14 18:56:22 UTC 
Like most bug I reported here, it was found by clang-tidy.

If you want more info on how I run clang-tidy then check this comment:
https://bugzilla.libsdl.org/show_bug.cgi?id=4841#c4
Be aware that the patch that improve clang-tidy result is not compatible with the script that generate dynapi.