Fri, 12 Jul 2013 23:45:12 -0700Fixed bug 1938 - Buffer overflows in the Windows IME code
Sam Lantinga <slouken@libsdl.org> [Fri, 12 Jul 2013 23:45:12 -0700] rev 7430
Fixed bug 1938 - Buffer overflows in the Windows IME code

norfanin

There are a few potential buffer overflows in the Windows IME code located in the SDL_windowskeyboard.c file. [1] They mainly happen because the code passes the number of bytes instead of the number of characters to the wide-character string functions wcslcpy and wcslcat. In another place, the code assumes that the composition cursor position can never go beyond the size of the composition string buffer.

Some of these overflows and overruns can occur with the Japanese IME on Vista and simplified Chinese IME on XP. I don't actually speak those languages and it's my first time using the IMEs, so I probably pushed them to the limit where nobody would still be compositing proper words. They don't cause any immediate access violation, although the possibility of trashing the SDL_VideoData structure is never good.

I've attached a patch that fixes those I found, but because I'm very new to the code it may be worthwhile if someone else also has a look over the code.

I'll go over the changes in my patch and explain what, why and how.

In the function IME_GetReadingString, there is a wcslcpy to copy the reading string from the IMC memory to the SDL reading string buffer. [2] This assumes that the length of the reading string never exceeds the SDL buffer size. I guess that is possible and I wasn't able to get a long reading string in my tests, but the patch adds a simple check anyway.

In the function IME_GetCompositionString, the first line calls ImmGetCompositionStringW to get the composition string. [3] The Microsoft documentation states that the fourth argument is for the destination buffer size in bytes (even with unicode) and the code correctly passes the value of sizeof. However, at the end of IME_GetCompositionString, the string is terminated by setting the element at index 'length' to 0. 'length' is calculated by dividing the number of bytes (those written by ImmGetCompositionStringW) by 2. If it managed to write 64 bytes, the code sets element 32 to 0, which would be the beginning of the reading string if the alignment places it there. My patch adds a subtraction to the fourth argument, essentially making it always pass 62 instead.

In the same function, the code assumes that the composition cursor position doesn't go beyond the buffer size. [4] My patch adds a simple range check in front of the indirection.

In the function IME_SendEditingEvent, the size for the wide-character string functions is passed in bytes instead of characters. [5] Oddly, the current code subtracts 'len' from the size in one function call. This results in truncation in certain situations as the third argument is the number of characters available in the destination buffer. If I'm understanding it correctly, this is supposed to copy x characters of the composition buffer, then concatenate the whole reading string buffer, and then the rest of the composition buffer (where x is the composition cursor position). I don't see how a truncation of the rest would be helpful here. Perhaps this is just an error? My patch removes the subtraction.

In the function UIElementSink_UpdateUIElement, bytes instead of characters is used again for a wcslcpy call. [6]

Fri, 12 Jul 2013 23:28:34 -0700Don't set the current OpenGL window if the context creation fails.
Sam Lantinga <slouken@libsdl.org> [Fri, 12 Jul 2013 23:28:34 -0700] rev 7429
Don't set the current OpenGL window if the context creation fails.

Fri, 12 Jul 2013 23:16:11 -0700Updated supported iOS version.
Sam Lantinga <slouken@libsdl.org> [Fri, 12 Jul 2013 23:16:11 -0700] rev 7428
Updated supported iOS version.

Sat, 13 Jul 2013 00:10:25 -0400CMake project should install sdl2.m4.
Ryan C. Gordon <icculus@icculus.org> [Sat, 13 Jul 2013 00:10:25 -0400] rev 7427
CMake project should install sdl2.m4.

Fixes Bugzilla #1809.

Sat, 13 Jul 2013 00:07:34 -0400CMake project should enable pthreads for Mac OS X by default.
Ryan C. Gordon <icculus@icculus.org> [Sat, 13 Jul 2013 00:07:34 -0400] rev 7426
CMake project should enable pthreads for Mac OS X by default.

Fri, 12 Jul 2013 23:38:44 -0400Fixed iOS context sharing again.
Ryan C. Gordon <icculus@icculus.org> [Fri, 12 Jul 2013 23:38:44 -0400] rev 7425
Fixed iOS context sharing again.

I suck at Objective-C.

Fri, 12 Jul 2013 23:32:54 -0400Patched to compile.
Ryan C. Gordon <icculus@icculus.org> [Fri, 12 Jul 2013 23:32:54 -0400] rev 7424
Patched to compile.

Fri, 12 Jul 2013 23:30:26 -0400Implement SDL_GL_SHARE_WITH_CURRENT_CONTEXT for iOS.
Ryan C. Gordon <icculus@icculus.org> [Fri, 12 Jul 2013 23:30:26 -0400] rev 7423
Implement SDL_GL_SHARE_WITH_CURRENT_CONTEXT for iOS.

Fixes Bugzilla #1947.

Fri, 12 Jul 2013 10:44:55 -0700Moved the game controller database to a separate file and added a script to sort the entries so we can easily check for duplicates
Sam Lantinga <slouken@libsdl.org> [Fri, 12 Jul 2013 10:44:55 -0700] rev 7422
Moved the game controller database to a separate file and added a script to sort the entries so we can easily check for duplicates

Fri, 12 Jul 2013 08:21:28 -0700Oops, that was supposed to be in the Linux section.
Sam Lantinga <slouken@libsdl.org> [Fri, 12 Jul 2013 08:21:28 -0700] rev 7421
Oops, that was supposed to be in the Linux section.