Fixed bug 1991 - XCF and LBM image loading might lead to random crashes
authorSam Lantinga <slouken@libsdl.org>
Sat, 27 Jul 2013 01:18:33 -0700
changeset 4151700d607fce3
parent 414 3ed19b67f778
child 416 67aae79a7175
Fixed bug 1991 - XCF and LBM image loading might lead to random crashes

Marcus von Appen

The current XCF and LBM image loaders mix SDL's and the underlying C memory APIs to allocate, reallocate or compare memory, which can lead to random crashes on the target system.

Attached is a small patch to clean up the API and fix a memory lead in the XCF loader implementation.
IMG_lbm.c
IMG_xcf.c
     1.1 --- a/IMG_lbm.c	Sun Jul 21 11:52:59 2013 -0700
     1.2 +++ b/IMG_lbm.c	Sat Jul 27 01:18:33 2013 -0700
     1.3 @@ -120,7 +120,7 @@
     1.4  
     1.5      /* As size is not used here, no need to swap it */
     1.6  
     1.7 -    if ( memcmp( id, "FORM", 4 ) != 0 )
     1.8 +    if ( SDL_memcmp( id, "FORM", 4 ) != 0 )
     1.9      {
    1.10          error="not a IFF file";
    1.11          goto done;
    1.12 @@ -197,7 +197,7 @@
    1.13              nbcolors = size / 3;
    1.14          }
    1.15  
    1.16 -        if ( !memcmp( id, "CAMG", 4 ) ) /* Amiga ViewMode  */
    1.17 +        if ( !SDL_memcmp( id, "CAMG", 4 ) ) /* Amiga ViewMode  */
    1.18          {
    1.19              Uint32 viewmodes;
    1.20              if ( !SDL_RWread( src, &viewmodes, sizeof(viewmodes), 1 ) )
    1.21 @@ -373,7 +373,7 @@
    1.22  
    1.23          if ( pbm )                 /* File format : 'Packed Bitmap' */
    1.24          {
    1.25 -           memcpy( ptr, MiniBuf, width );
    1.26 +           SDL_memcpy( ptr, MiniBuf, width );
    1.27          }
    1.28          else        /* We have to un-interlace the bits ! */
    1.29          {
     2.1 --- a/IMG_xcf.c	Sun Jul 21 11:52:59 2013 -0700
     2.2 +++ b/IMG_xcf.c	Sat Jul 27 01:18:33 2013 -0700
     2.3 @@ -288,7 +288,8 @@
     2.4  static void free_xcf_header (xcf_header * h) {
     2.5    if (h->cm_num)
     2.6      SDL_free (h->cm_map);
     2.7 -
     2.8 +  if (h->layer_file_offsets)
     2.9 +	  SDL_free (h->layer_file_offsets);
    2.10    SDL_free (h);
    2.11  }
    2.12  
    2.13 @@ -303,6 +304,7 @@
    2.14    h->image_type  = SDL_ReadBE32 (src);
    2.15  
    2.16    h->properties = NULL;
    2.17 +  h->layer_file_offsets = NULL;
    2.18    h->compr      = COMPR_NONE;
    2.19    h->cm_num = 0;
    2.20    h->cm_map = NULL;
    2.21 @@ -317,7 +319,7 @@
    2.22  
    2.23        h->cm_num = prop.data.colormap.num;
    2.24        h->cm_map = (unsigned char *) SDL_malloc (sizeof (unsigned char) * 3 * h->cm_num);
    2.25 -      memcpy (h->cm_map, prop.data.colormap.cmap, 3*sizeof (char)*h->cm_num);
    2.26 +      SDL_memcpy (h->cm_map, prop.data.colormap.cmap, 3*sizeof (char)*h->cm_num);
    2.27        SDL_free (prop.data.colormap.cmap);
    2.28      }
    2.29    } while (prop.id != PROP_END);
    2.30 @@ -417,7 +419,7 @@
    2.31    h->level_file_offsets = NULL;
    2.32    i = 0;
    2.33    do {
    2.34 -    h->level_file_offsets = (Uint32 *) realloc (h->level_file_offsets, sizeof (Uint32) * (i+1));
    2.35 +    h->level_file_offsets = (Uint32 *) SDL_realloc (h->level_file_offsets, sizeof (Uint32) * (i+1));
    2.36      h->level_file_offsets [i] = SDL_ReadBE32 (src);
    2.37    } while (h->level_file_offsets [i++]);
    2.38  
    2.39 @@ -718,11 +720,10 @@
    2.40      goto done;
    2.41    }
    2.42  
    2.43 -  head->layer_file_offsets = NULL;
    2.44    offsets = 0;
    2.45  
    2.46    while ((offset = SDL_ReadBE32 (src))) {
    2.47 -    head->layer_file_offsets = (Uint32 *) realloc (head->layer_file_offsets, sizeof (Uint32) * (offsets+1));
    2.48 +    head->layer_file_offsets = (Uint32 *) SDL_realloc (head->layer_file_offsets, sizeof (Uint32) * (offsets+1));
    2.49      head->layer_file_offsets [offsets] = (Uint32)offset;
    2.50      offsets++;
    2.51    }