Bug#405154: libsdl-gfx1.2-4: unchecked surface allocation results in segfault

Sun, 31 Dec 2006 17:12:30 -0800 

Package: libsdl-gfx1.2-4
Version: 2.0.13-2+b1
Severity: normal
Tags: patch

In SDL_rotozoom.c there are several calls to SDL_CreateRGBSurface()
where the return value is passed unchecked to subsequent functions
where it is dereferenced (such as zoomSurfaceRGBA()) which results in
segfaults.  The attached patch bails out and returns NULL if
allocation fails (since SDL_Error is already set by CreateSurface()
upon failure).

There may be more elegant ways to handle this (is there a way to
recover from failed allocations?) but at least this will allow the
user to call SDL_GetError() on failure.

Hope you find it useful,
Kevin

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18.20061209a
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libsdl-gfx1.2-4 depends on:
ii  libc6                        2.3.6.ds1-8 GNU C Library: Shared libraries
ii  libsdl1.2debian              1.2.11-7    Simple DirectMedia Layer

libsdl-gfx1.2-4 recommends no packages.

-- no debconf information

--- SDL_rotozoom.c.orig	2004-11-29 07:40:21.000000000 -0700
+++ SDL_rotozoom.c	2006-12-31 17:21:01.000000000 -0700
@@ -640,6 +640,8 @@
 	 */
 	rz_src =
 	    SDL_CreateRGBSurface(SDL_SWSURFACE, src->w, src->h, 32, 0x000000ff, 0x0000ff00, 0x00ff0000, 0xff000000);
+	if (rz_src == NULL)
+	    return NULL;
 	SDL_BlitSurface(src, NULL, rz_src, NULL);
 	src_converted = 1;
 	is32bit = 1;
@@ -702,6 +704,18 @@
 	    rz_dst = SDL_CreateRGBSurface(SDL_SWSURFACE, dstwidth, dstheight, 8, 0, 0, 0, 0);
 	}
 
+    	/*
+    	 * Bail if we were unable to allocate the zoomed surface
+    	 */
+    	if (rz_dst == NULL) {
+	    /*
+	     * Free the converted source surface if necessary
+	     */
+	    if (src_converted)
+	    	SDL_FreeSurface(rz_src);
+	    return NULL;
+    	}
+
 	/*
 	 * Lock source surface 
 	 */
@@ -774,6 +788,18 @@
 	    rz_dst = SDL_CreateRGBSurface(SDL_SWSURFACE, dstwidth, dstheight, 8, 0, 0, 0, 0);
 	}
 
+    	/*
+    	 * Bail if we were unable to allocate the zoomed surface
+    	 */
+    	if (rz_dst == NULL) {
+	    /*
+	     * Free the converted source surface if necessary
+	     */
+	    if (src_converted)
+	    	SDL_FreeSurface(rz_src);
+	    return NULL;
+    	}
+
 	/*
 	 * Lock source surface 
 	 */
@@ -892,6 +918,8 @@
 	 */
 	rz_src =
 	    SDL_CreateRGBSurface(SDL_SWSURFACE, src->w, src->h, 32, 0x000000ff, 0x0000ff00, 0x00ff0000, 0xff000000);
+	if (rz_src == NULL)
+	    return NULL;
 	SDL_BlitSurface(src, NULL, rz_src, NULL);
 	src_converted = 1;
 	is32bit = 1;
@@ -925,6 +953,18 @@
     }
 
     /*
+     * Bail if we were unable to allocate the zoomed surface
+     */
+    if (rz_dst == NULL) {
+	/*
+	 * Free the converted source surface if necessary
+	 */
+	if (src_converted)
+	    SDL_FreeSurface(rz_src);
+	return NULL;
+    }
+
+    /*
      * Lock source surface 
      */
     SDL_LockSurface(rz_src);

Reply via email to