We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 5408 - [Patch] Use after free in KMSDRM_VideoInit
Summary: [Patch] Use after free in KMSDRM_VideoInit
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: video (show other bugs)
Version: 2.0.14
Hardware: x86_64 Linux
: P2 normal
Assignee: Manuel Alfayate Corchete
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-21 10:58 UTC by Mathieu Eyraud
Modified: 2020-12-21 17:42 UTC (History)
1 user (show)

See Also:

Attachments
move SDL_free at the end (946 bytes, patch)
2020-12-21 10:58 UTC, Mathieu Eyraud 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mathieu Eyraud 2020-12-21 10:58:04 UTC 
Created attachment 4594 [details]
move SDL_free at the end

KMSDRM_VideoInit uses variable 'dispdata' after it is freed:

in KMSDRM_VideoInit:
 - dispdata is allocated on line 1557.
 - call KMSDRM_DisplayDataInit on line 1575.
   
   in KMSDRM_DisplayDataInit:
     - in case of error, 'dispdata' is freed on line 1243

return to KMSDRM_VideoInit:
 - KMSDRM_DisplayDataInit returned an error so go to 'cleanup' on line 1603.
 - use of dispdata on line 1607

Attached a patch that move SDL_free at the end of KMSDRM_VideoInit.
Comment 1 Manuel Alfayate Corchete 2020-12-21 17:36:43 UTC 
@Mathieu

Thanks for this. It seems I tend to forget these small details, so patches like this are VERY welcome for me.

I have included this patch on my latest hg push.
Comment 2 Sam Lantinga 2020-12-21 17:42:52 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL/rev/077bbd54eff2