Fixed bug 1953 - Crash at memcpy X11_DispatchEvent(_THIS) Function
authorSam Lantinga <slouken@libsdl.org>
Wed, 10 Jul 2013 21:57:31 -0700
changeset 7396 a36ab6149a10
parent 7395 c1b80390a820
child 7397 08e4eb5cea46
Fixed bug 1953 - Crash at memcpy X11_DispatchEvent(_THIS) Function Nitz In Function X11_DispatchEvent(_THIS), case SelectionNotify : static void X11_DispatchEvent(_THIS) { // Some Code case SelectionNotify: { //Some Code SDL_bool expect_lf = SDL_FALSE; char *start = NULL; // Initialised with NULL char *scan = (char*)p.data; char *fn; char *uri; int length = 0; while (p.count--) { if (!expect_lf) { if (*scan==0x0D) { expect_lf = SDL_TRUE; } else if(start == NULL) { start = scan; length = 0; } length++; } else { if (*scan==0x0A && length>0) { uri = malloc(length--); memcpy(uri, start, length); // Problem is Here, start is still NULL if control comes to else statement without initialising the start pointer, which is wrong uri[length] = 0; fn = X11_URIToLocal(uri); if (fn) SDL_SendDropFile(fn); free(uri); } expect_lf = SDL_FALSE; start = NULL; } scan++; } } As shown above how start pointer remains NULL, Patch for this issue would be: if (*scan==0x0D) { expect_lf = SDL_TRUE; } if(start == NULL) { start = scan; length = 0; } Just replace else if statement with if.
src/video/x11/SDL_x11events.c
--- a/src/video/x11/SDL_x11events.c	Wed Jul 10 23:43:35 2013 -0400
+++ b/src/video/x11/SDL_x11events.c	Wed Jul 10 21:57:31 2013 -0700
@@ -778,12 +778,11 @@
 #endif
             Atom target = xevent.xselection.target;
             if (target == data->xdnd_req) {
-
                 /* read data */
                 SDL_x11Prop p;
                 X11_ReadProperty(&p, display, data->xwindow, videodata->PRIMARY);
 
-                if(p.format==8) {
+                if (p.format == 8) {
                     SDL_bool expect_lf = SDL_FALSE;
                     char *start = NULL;
                     char *scan = (char*)p.data;
@@ -792,21 +791,24 @@
                     int length = 0;
                     while (p.count--) {
                         if (!expect_lf) {
-                            if (*scan==0x0D) {
+                            if (*scan == 0x0D) {
                                 expect_lf = SDL_TRUE;
-                            } else if(start == NULL) {
+                            }
+                            if (start == NULL) {
                                 start = scan;
                                 length = 0;
                             }
                             length++;
                         } else {
-                            if (*scan==0x0A && length>0) {
-                                uri = malloc(length--);
-                                memcpy(uri, start, length);
-                                uri[length] = 0;
+                            if (*scan == 0x0A && length > 0) {
+                                uri = SDL_malloc(length--);
+                                SDL_memcpy(uri, start, length);
+                                uri[length] = '\0';
                                 fn = X11_URIToLocal(uri);
-                                if (fn) SDL_SendDropFile(fn);
-                                free(uri);
+                                if (fn) {
+                                    SDL_SendDropFile(fn);
+                                }
+                                SDL_free(uri);
                             }
                             expect_lf = SDL_FALSE;
                             start = NULL;
@@ -819,12 +821,12 @@
 
                 /* send reply */
                 XClientMessageEvent m;
-                memset(&m, 0, sizeof(XClientMessageEvent));
+                SDL_memset(&m, 0, sizeof(XClientMessageEvent));
                 m.type = ClientMessage;
                 m.display = display;
                 m.window = data->xdnd_source;
                 m.message_type = videodata->XdndFinished;
-                m.format=32;
+                m.format = 32;
                 m.data.l[0] = data->xwindow;
                 m.data.l[1] = 1;
                 m.data.l[2] = videodata->XdndActionCopy;
@@ -835,7 +837,6 @@
             } else {
                 videodata->selection_waiting = SDL_FALSE;
             }
-
         }
         break;