Skip to content
This repository has been archived by the owner on Feb 11, 2021. It is now read-only.

Commit

Permalink
Fixed bug 1953 - Crash at memcpy X11_DispatchEvent(_THIS) Function
Browse files Browse the repository at this point in the history 
Nitz

In Function X11_DispatchEvent(_THIS), case SelectionNotify :
static void
X11_DispatchEvent(_THIS)
{
 // Some Code
  case SelectionNotify: {
  //Some Code
  SDL_bool expect_lf = SDL_FALSE;
                    char *start = NULL; // Initialised with NULL
                    char *scan = (char*)p.data;
                    char *fn;
                    char *uri;
                    int length = 0;
                    while (p.count--) {
                        if (!expect_lf) {
                            if (*scan==0x0D) {
                                expect_lf = SDL_TRUE;
                            } else if(start == NULL) {
                                start = scan;
                                length = 0;
                            }
                            length++;
                        } else {
                            if (*scan==0x0A && length>0) {
                                uri = malloc(length--);

                                memcpy(uri, start, length); // Problem is Here, start is still NULL if control comes to else statement without initialising the start pointer, which is wrong

                                uri[length] = 0;
                                fn = X11_URIToLocal(uri);
                                if (fn) SDL_SendDropFile(fn);
                                free(uri);
                            }
                            expect_lf = SDL_FALSE;
                            start = NULL;
                        }
                        scan++;
                    }
                }
As shown above how start pointer remains NULL, Patch for this issue would be:
                            if (*scan==0x0D) {
                                expect_lf = SDL_TRUE;
                            }
                            if(start == NULL) {
                                start = scan;
                                length = 0;
                            }
Just replace else if statement with if.
  • Loading branch information
@slouken
slouken committed Jul 11, 2013
1 parent c918214 commit d3b7436
Showing 1 changed file with 14 additions and 13 deletions.
27 changes: 14 additions & 13 deletions src/video/x11/SDL_x11events.c
View file
Expand Up @@ -778,12 +778,11 @@ X11_DispatchEvent(_THIS)
#endif
Atom target = xevent.xselection.target;
if (target == data->xdnd_req) {

/* read data */
SDL_x11Prop p;
X11_ReadProperty(&p, display, data->xwindow, videodata->PRIMARY);

if(p.format==8) {
if (p.format == 8) {
SDL_bool expect_lf = SDL_FALSE;
char *start = NULL;
char *scan = (char*)p.data;
Expand All @@ -792,21 +791,24 @@ X11_DispatchEvent(_THIS)
int length = 0;
while (p.count--) {
if (!expect_lf) {
if (*scan==0x0D) {
if (*scan == 0x0D) {
expect_lf = SDL_TRUE;
} else if(start == NULL) {
}
if (start == NULL) {
start = scan;
length = 0;
}
length++;
} else {
if (*scan==0x0A && length>0) {
uri = malloc(length--);
memcpy(uri, start, length);
uri[length] = 0;
if (*scan == 0x0A && length > 0) {
uri = SDL_malloc(length--);
SDL_memcpy(uri, start, length);
uri[length] = '\0';
fn = X11_URIToLocal(uri);
if (fn) SDL_SendDropFile(fn);
free(uri);
if (fn) {
SDL_SendDropFile(fn);
}
SDL_free(uri);
}
expect_lf = SDL_FALSE;
start = NULL;
Expand All @@ -819,12 +821,12 @@ X11_DispatchEvent(_THIS)

/* send reply */
XClientMessageEvent m;
memset(&m, 0, sizeof(XClientMessageEvent));
SDL_memset(&m, 0, sizeof(XClientMessageEvent));
m.type = ClientMessage;
m.display = display;
m.window = data->xdnd_source;
m.message_type = videodata->XdndFinished;
m.format=32;
m.format = 32;
m.data.l[0] = data->xwindow;
m.data.l[1] = 1;
m.data.l[2] = videodata->XdndActionCopy;
Expand All @@ -835,7 +837,6 @@ X11_DispatchEvent(_THIS)
} else {
videodata->selection_waiting = SDL_FALSE;
}

}
break;

Expand Down

0 comments on commit d3b7436

Please sign in to comment.