From ddcf0933c1ef65323c577bee64e891e2c9ada481 Mon Sep 17 00:00:00 2001 From: Sam Lantinga Date: Sat, 27 Jul 2013 01:18:33 -0700 Subject: [PATCH] Fixed bug 1991 - XCF and LBM image loading might lead to random crashes Marcus von Appen The current XCF and LBM image loaders mix SDL's and the underlying C memory APIs to allocate, reallocate or compare memory, which can lead to random crashes on the target system. Attached is a small patch to clean up the API and fix a memory lead in the XCF loader implementation. --- IMG_lbm.c | 6 +++--- IMG_xcf.c | 11 ++++++----- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/IMG_lbm.c b/IMG_lbm.c index 7a1b0797..7aeb3bff 100644 --- a/IMG_lbm.c +++ b/IMG_lbm.c @@ -120,7 +120,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src ) /* As size is not used here, no need to swap it */ - if ( memcmp( id, "FORM", 4 ) != 0 ) + if ( SDL_memcmp( id, "FORM", 4 ) != 0 ) { error="not a IFF file"; goto done; @@ -197,7 +197,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src ) nbcolors = size / 3; } - if ( !memcmp( id, "CAMG", 4 ) ) /* Amiga ViewMode */ + if ( !SDL_memcmp( id, "CAMG", 4 ) ) /* Amiga ViewMode */ { Uint32 viewmodes; if ( !SDL_RWread( src, &viewmodes, sizeof(viewmodes), 1 ) ) @@ -373,7 +373,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src ) if ( pbm ) /* File format : 'Packed Bitmap' */ { - memcpy( ptr, MiniBuf, width ); + SDL_memcpy( ptr, MiniBuf, width ); } else /* We have to un-interlace the bits ! */ { diff --git a/IMG_xcf.c b/IMG_xcf.c index 22e17100..d4215263 100644 --- a/IMG_xcf.c +++ b/IMG_xcf.c @@ -288,7 +288,8 @@ static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) { static void free_xcf_header (xcf_header * h) { if (h->cm_num) SDL_free (h->cm_map); - + if (h->layer_file_offsets) + SDL_free (h->layer_file_offsets); SDL_free (h); } @@ -303,6 +304,7 @@ static xcf_header * read_xcf_header (SDL_RWops * src) { h->image_type = SDL_ReadBE32 (src); h->properties = NULL; + h->layer_file_offsets = NULL; h->compr = COMPR_NONE; h->cm_num = 0; h->cm_map = NULL; @@ -317,7 +319,7 @@ static xcf_header * read_xcf_header (SDL_RWops * src) { h->cm_num = prop.data.colormap.num; h->cm_map = (unsigned char *) SDL_malloc (sizeof (unsigned char) * 3 * h->cm_num); - memcpy (h->cm_map, prop.data.colormap.cmap, 3*sizeof (char)*h->cm_num); + SDL_memcpy (h->cm_map, prop.data.colormap.cmap, 3*sizeof (char)*h->cm_num); SDL_free (prop.data.colormap.cmap); } } while (prop.id != PROP_END); @@ -417,7 +419,7 @@ static xcf_hierarchy * read_xcf_hierarchy (SDL_RWops * src) { h->level_file_offsets = NULL; i = 0; do { - h->level_file_offsets = (Uint32 *) realloc (h->level_file_offsets, sizeof (Uint32) * (i+1)); + h->level_file_offsets = (Uint32 *) SDL_realloc (h->level_file_offsets, sizeof (Uint32) * (i+1)); h->level_file_offsets [i] = SDL_ReadBE32 (src); } while (h->level_file_offsets [i++]); @@ -718,11 +720,10 @@ SDL_Surface *IMG_LoadXCF_RW(SDL_RWops *src) goto done; } - head->layer_file_offsets = NULL; offsets = 0; while ((offset = SDL_ReadBE32 (src))) { - head->layer_file_offsets = (Uint32 *) realloc (head->layer_file_offsets, sizeof (Uint32) * (offsets+1)); + head->layer_file_offsets = (Uint32 *) SDL_realloc (head->layer_file_offsets, sizeof (Uint32) * (offsets+1)); head->layer_file_offsets [offsets] = (Uint32)offset; offsets++; }