From 5ea2dd0dce83a01f8b85cba78fde238ad20ea8a8 Mon Sep 17 00:00:00 2001 From: Sam Lantinga Date: Wed, 12 Nov 2008 17:23:40 +0000 Subject: [PATCH] Date: Sun, 7 Sep 2008 15:17:00 +0200 From: c2woody@gmx.net Subject: [SDL] SDL 1.2 doube free/pointer zeroing missing Hello, this is about a crash/debug breakage for the current SDL 1.2 source tree (today's svn checkout, same problem in 1.2.13 and before as far as relevant). In some places memory is free()d but the associated pointer is not zeroed, leading to for example double free()s. For me this happened because SDL_StopEventThread() was executed twice (during restart of the subsystems), once for the close down in SDL_VideoQuit() and once at the startup, right at the beginning of SDL_StartEventLoop(). Thus the code SDL_DestroyMutex(SDL_EventQ.lock); (see SDL_events.c) was called twice and executed the SDL_free(mutex); twice as well, leading to a crash (msvc 64bit for which it was noticed). I've tried to check all other occurrences of SDL_free and similar code in msvc, see the attached patch (udiff against revision 4082). Non-windows only codepaths have neither been checked nor touched. Comments/ideas welcome. Attached patch: NULLifies some pointers after they have been free()d. --- src/audio/SDL_wave.c | 3 +++ src/cdrom/win32/SDL_syscdrom.c | 1 + src/events/SDL_events.c | 2 ++ src/joystick/win32/SDL_mmjoystick.c | 2 ++ src/video/SDL_yuv_sw.c | 1 + src/video/windx5/SDL_dx5yuv.c | 1 + 6 files changed, 10 insertions(+) diff --git a/src/audio/SDL_wave.c b/src/audio/SDL_wave.c index 465195eb8..48acb3f30 100644 --- a/src/audio/SDL_wave.c +++ b/src/audio/SDL_wave.c @@ -440,6 +440,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, do { if ( chunk.data != NULL ) { SDL_free(chunk.data); + chunk.data = NULL; } lenread = ReadChunk(src, &chunk); if ( lenread < 0 ) { @@ -522,6 +523,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc, do { if ( *audio_buf != NULL ) { SDL_free(*audio_buf); + *audio_buf = NULL; } lenread = ReadChunk(src, &chunk); if ( lenread < 0 ) { @@ -591,6 +593,7 @@ static int ReadChunk(SDL_RWops *src, Chunk *chunk) if ( SDL_RWread(src, chunk->data, chunk->length, 1) != 1 ) { SDL_Error(SDL_EFREAD); SDL_free(chunk->data); + chunk->data = NULL; return(-1); } return(chunk->length); diff --git a/src/cdrom/win32/SDL_syscdrom.c b/src/cdrom/win32/SDL_syscdrom.c index 3d0587dad..98499a88a 100644 --- a/src/cdrom/win32/SDL_syscdrom.c +++ b/src/cdrom/win32/SDL_syscdrom.c @@ -377,6 +377,7 @@ void SDL_SYS_CDQuit(void) if ( SDL_numcds > 0 ) { for ( i=0; ihwdata != NULL) { /* free system specific hardware data */ SDL_free(joystick->hwdata); + joystick->hwdata = NULL; } } @@ -354,6 +355,7 @@ void SDL_SYS_JoystickQuit(void) for (i = 0; i < MAX_JOYSTICKS; i++) { if ( SYS_JoystickName[i] != NULL ) { SDL_free(SYS_JoystickName[i]); + SYS_JoystickName[i] = NULL; } } } diff --git a/src/video/SDL_yuv_sw.c b/src/video/SDL_yuv_sw.c index 13c4a92e1..303a5e6d4 100644 --- a/src/video/SDL_yuv_sw.c +++ b/src/video/SDL_yuv_sw.c @@ -1294,5 +1294,6 @@ void SDL_FreeYUV_SW(_THIS, SDL_Overlay *overlay) SDL_free(swdata->rgb_2_pix); } SDL_free(swdata); + overlay->hwdata = NULL; } } diff --git a/src/video/windx5/SDL_dx5yuv.c b/src/video/windx5/SDL_dx5yuv.c index 2457dacd8..6111ff535 100644 --- a/src/video/windx5/SDL_dx5yuv.c +++ b/src/video/windx5/SDL_dx5yuv.c @@ -290,6 +290,7 @@ void DX5_FreeYUVOverlay(_THIS, SDL_Overlay *overlay) IDirectDrawSurface_Release(hwdata->surface); } SDL_free(hwdata); + overlay->hwdata = NULL; } }