From 55d841880d9e3ef26348f520abca233edf0e5f10 Mon Sep 17 00:00:00 2001 From: Sam Lantinga Date: Sun, 18 Oct 2009 17:31:37 +0000 Subject: [PATCH] Fixed bug #855 Ludwig Nussel 2009-10-18 06:31:52 PDT an mprotect call was added to fix bug 528. However that results in a buffer that allows writing and code execution. Ie the no-execute security features of modern operating systems are defeated this way. Two mprotect calls are needed. One to make the buffer executable but not writeable when done and another one to make the buffer writeable again if the content needs to be changed. --- src/video/SDL_stretch.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/video/SDL_stretch.c b/src/video/SDL_stretch.c index 6ec324bb2..62cdcc7a8 100644 --- a/src/video/SDL_stretch.c +++ b/src/video/SDL_stretch.c @@ -103,6 +103,13 @@ static int generate_rowbytes(int src_w, int dst_w, int bpp) SDL_SetError("ASM stretch of %d bytes isn't supported\n", bpp); return(-1); } +#ifdef HAVE_MPROTECT + /* Make the code writeable */ + if ( mprotect(copy_row, sizeof(copy_row), PROT_READ|PROT_WRITE) < 0 ) { + SDL_SetError("Couldn't make copy buffer writeable"); + return(-1); + } +#endif pos = 0x10000; inc = (src_w << 16) / dst_w; eip = copy_row; @@ -128,8 +135,8 @@ static int generate_rowbytes(int src_w, int dst_w, int bpp) return(-1); } #ifdef HAVE_MPROTECT - /* Make the code executable */ - if ( mprotect(copy_row, sizeof(copy_row), PROT_READ|PROT_WRITE|PROT_EXEC) < 0 ) { + /* Make the code executable but not writeable */ + if ( mprotect(copy_row, sizeof(copy_row), PROT_READ|PROT_EXEC) < 0 ) { SDL_SetError("Couldn't make copy buffer executable"); return(-1); }