Fixed buffer overflow in joystick cleanup. (valgrind ftw!) SDL-1.2
authorRyan C. Gordon <icculus@icculus.org>
Thu, 03 Nov 2011 12:42:23 -0400
branchSDL-1.2
changeset 604754b2716f595d
parent 5988 bf927e528813
child 6048 a0538c8c39b5
Fixed buffer overflow in joystick cleanup. (valgrind ftw!)
src/joystick/SDL_joystick.c
     1.1 --- a/src/joystick/SDL_joystick.c	Thu Oct 13 16:38:05 2011 -0400
     1.2 +++ b/src/joystick/SDL_joystick.c	Thu Nov 03 12:42:23 2011 -0400
     1.3 @@ -37,6 +37,7 @@
     1.4  #endif
     1.5  
     1.6  Uint8 SDL_numjoysticks = 0;
     1.7 +int SDL_allocatedjoysticks = 0;
     1.8  SDL_Joystick **SDL_joysticks = NULL;
     1.9  
    1.10  int SDL_JoystickInit(void)
    1.11 @@ -47,10 +48,12 @@
    1.12  	SDL_numjoysticks = 0;
    1.13  	status = SDL_SYS_JoystickInit();
    1.14  	if ( status >= 0 ) {
    1.15 -		arraylen = (status+1)*sizeof(*SDL_joysticks);
    1.16 +		SDL_allocatedjoysticks = status;
    1.17 +		arraylen = (SDL_allocatedjoysticks+1)*sizeof(*SDL_joysticks);
    1.18  		SDL_joysticks = (SDL_Joystick **)SDL_malloc(arraylen);
    1.19  		if ( SDL_joysticks == NULL ) {
    1.20  			SDL_numjoysticks = 0;
    1.21 +			SDL_allocatedjoysticks = 0;
    1.22  		} else {
    1.23  			SDL_memset(SDL_joysticks, 0, arraylen);
    1.24  			SDL_numjoysticks = status;
    1.25 @@ -370,7 +373,7 @@
    1.26  	for ( i=0; SDL_joysticks[i]; ++i ) {
    1.27  		if ( joystick == SDL_joysticks[i] ) {
    1.28  			SDL_memmove(&SDL_joysticks[i], &SDL_joysticks[i+1],
    1.29 -			       (SDL_numjoysticks-i)*sizeof(joystick));
    1.30 +			       (SDL_allocatedjoysticks-i)*sizeof(joystick));
    1.31  			break;
    1.32  		}
    1.33  	}
    1.34 @@ -419,6 +422,7 @@
    1.35  	if ( SDL_joysticks ) {
    1.36  		SDL_free(SDL_joysticks);
    1.37  		SDL_joysticks = NULL;
    1.38 +		SDL_allocatedjoysticks = 0;
    1.39  	}
    1.40  }
    1.41