From 32ba8745cd0a98c36ae90ed29d9873e1edd9db09 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Fri, 25 Jan 2013 14:25:19 -0800
Subject: [PATCH] Fixed crash when the game controller mapping hint is set -
 the hint was duplicated and not null terminated.

---
 src/joystick/SDL_gamecontroller.c | 56 ++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 23 deletions(-)

diff --git a/src/joystick/SDL_gamecontroller.c b/src/joystick/SDL_gamecontroller.c
index b1de6ee7a..9b737e4ad 100644
--- a/src/joystick/SDL_gamecontroller.c
+++ b/src/joystick/SDL_gamecontroller.c
@@ -518,21 +518,26 @@ char *SDL_PrivateGetControllerGUIDFromMappingString( const char *pMapping )
  */
 char *SDL_PrivateGetControllerNameFromMappingString( const char *pMapping )
 {
-	const char *pFirstComma = SDL_strchr( pMapping, ',' );
-	const char *pSecondComma = SDL_strchr( pFirstComma + 1, ',' );
-	if ( pFirstComma && pSecondComma )
-	{
-		char *pchName = SDL_malloc( pSecondComma - pFirstComma );
-		if ( !pchName )
-		{
-			SDL_OutOfMemory();
-			return NULL;
-		}
-		SDL_memcpy( pchName, pFirstComma + 1, pSecondComma - pFirstComma );
-		pchName[ pSecondComma - pFirstComma - 1 ] = 0;
-		return pchName;
-	}
-	return NULL;
+	const char *pFirstComma, *pSecondComma;
+    char *pchName;
+
+    pFirstComma = SDL_strchr( pMapping, ',' );
+    if ( !pFirstComma )
+        return NULL;
+
+	pSecondComma = SDL_strchr( pFirstComma + 1, ',' );
+    if ( !pSecondComma )
+        return NULL;
+
+    pchName = SDL_malloc( pSecondComma - pFirstComma );
+    if ( !pchName )
+    {
+        SDL_OutOfMemory();
+        return NULL;
+    }
+    SDL_memcpy( pchName, pFirstComma + 1, pSecondComma - pFirstComma );
+    pchName[ pSecondComma - pFirstComma - 1 ] = 0;
+    return pchName;
 }
 
 
@@ -541,12 +546,17 @@ char *SDL_PrivateGetControllerNameFromMappingString( const char *pMapping )
  */
 const char *SDL_PrivateGetControllerMappingFromMappingString( const char *pMapping )
 {
-	const char *pFirstComma = SDL_strchr( pMapping, ',' );
-	const char *pSecondComma = SDL_strchr( pFirstComma + 1, ',' );
-	if ( pSecondComma )
-		return pSecondComma + 1; // mapping is everything after the 3rd comma, no need to malloc it
-	else
-		return NULL;
+	const char *pFirstComma, *pSecondComma;
+
+    pFirstComma = SDL_strchr( pMapping, ',' );
+    if ( !pFirstComma )
+        return NULL;
+
+	pSecondComma = SDL_strchr( pFirstComma + 1, ',' );
+    if ( !pSecondComma )
+        return NULL;
+
+    return pSecondComma + 1; /* mapping is everything after the 3rd comma, no need to malloc it */
 }
 
 
@@ -603,8 +613,8 @@ SDL_GameControllerInit(void)
 		if ( hint && hint[0] )
 		{
 			int nchHints = SDL_strlen( hint );
-			char *pUserMappings = SDL_malloc( nchHints + 1 );
-			SDL_memcpy( pUserMappings, hint, nchHints );
+			char *pUserMappings = SDL_malloc( nchHints + 1 ); /* FIXME: memory leak, but we can't free it in this function because pchMapping below points into this memory */
+			SDL_memcpy( pUserMappings, hint, nchHints + 1 );
 			while ( pUserMappings )
 			{
 				char *pchGUID;