From d3b7436089ce35269624da3bfeed9614c7fb192b Mon Sep 17 00:00:00 2001 From: Sam Lantinga Date: Wed, 10 Jul 2013 21:57:31 -0700 Subject: [PATCH] Fixed bug 1953 - Crash at memcpy X11_DispatchEvent(_THIS) Function Nitz In Function X11_DispatchEvent(_THIS), case SelectionNotify : static void X11_DispatchEvent(_THIS) { // Some Code case SelectionNotify: { //Some Code SDL_bool expect_lf = SDL_FALSE; char *start = NULL; // Initialised with NULL char *scan = (char*)p.data; char *fn; char *uri; int length = 0; while (p.count--) { if (!expect_lf) { if (*scan==0x0D) { expect_lf = SDL_TRUE; } else if(start == NULL) { start = scan; length = 0; } length++; } else { if (*scan==0x0A && length>0) { uri = malloc(length--); memcpy(uri, start, length); // Problem is Here, start is still NULL if control comes to else statement without initialising the start pointer, which is wrong uri[length] = 0; fn = X11_URIToLocal(uri); if (fn) SDL_SendDropFile(fn); free(uri); } expect_lf = SDL_FALSE; start = NULL; } scan++; } } As shown above how start pointer remains NULL, Patch for this issue would be: if (*scan==0x0D) { expect_lf = SDL_TRUE; } if(start == NULL) { start = scan; length = 0; } Just replace else if statement with if. --- src/video/x11/SDL_x11events.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/src/video/x11/SDL_x11events.c b/src/video/x11/SDL_x11events.c index 025777aee..7fb99818c 100644 --- a/src/video/x11/SDL_x11events.c +++ b/src/video/x11/SDL_x11events.c @@ -778,12 +778,11 @@ X11_DispatchEvent(_THIS) #endif Atom target = xevent.xselection.target; if (target == data->xdnd_req) { - /* read data */ SDL_x11Prop p; X11_ReadProperty(&p, display, data->xwindow, videodata->PRIMARY); - if(p.format==8) { + if (p.format == 8) { SDL_bool expect_lf = SDL_FALSE; char *start = NULL; char *scan = (char*)p.data; @@ -792,21 +791,24 @@ X11_DispatchEvent(_THIS) int length = 0; while (p.count--) { if (!expect_lf) { - if (*scan==0x0D) { + if (*scan == 0x0D) { expect_lf = SDL_TRUE; - } else if(start == NULL) { + } + if (start == NULL) { start = scan; length = 0; } length++; } else { - if (*scan==0x0A && length>0) { - uri = malloc(length--); - memcpy(uri, start, length); - uri[length] = 0; + if (*scan == 0x0A && length > 0) { + uri = SDL_malloc(length--); + SDL_memcpy(uri, start, length); + uri[length] = '\0'; fn = X11_URIToLocal(uri); - if (fn) SDL_SendDropFile(fn); - free(uri); + if (fn) { + SDL_SendDropFile(fn); + } + SDL_free(uri); } expect_lf = SDL_FALSE; start = NULL; @@ -819,12 +821,12 @@ X11_DispatchEvent(_THIS) /* send reply */ XClientMessageEvent m; - memset(&m, 0, sizeof(XClientMessageEvent)); + SDL_memset(&m, 0, sizeof(XClientMessageEvent)); m.type = ClientMessage; m.display = display; m.window = data->xdnd_source; m.message_type = videodata->XdndFinished; - m.format=32; + m.format = 32; m.data.l[0] = data->xwindow; m.data.l[1] = 1; m.data.l[2] = videodata->XdndActionCopy; @@ -835,7 +837,6 @@ X11_DispatchEvent(_THIS) } else { videodata->selection_waiting = SDL_FALSE; } - } break;