Package: libsdl-gfx1.2-4 Version: 2.0.13-2+b1 Severity: normal Tags: patch In SDL_rotozoom.c there are several calls to SDL_CreateRGBSurface() where the return value is passed unchecked to subsequent functions where it is dereferenced (such as zoomSurfaceRGBA()) which results in segfaults. The attached patch bails out and returns NULL if allocation fails (since SDL_Error is already set by CreateSurface() upon failure).
There may be more elegant ways to handle this (is there a way to recover from failed allocations?) but at least this will allow the user to call SDL_GetError() on failure. Hope you find it useful, Kevin -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/dash Kernel: Linux 2.6.18.20061209a Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libsdl-gfx1.2-4 depends on: ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libsdl1.2debian 1.2.11-7 Simple DirectMedia Layer libsdl-gfx1.2-4 recommends no packages. -- no debconf information
--- SDL_rotozoom.c.orig 2004-11-29 07:40:21.000000000 -0700 +++ SDL_rotozoom.c 2006-12-31 17:21:01.000000000 -0700 @@ -640,6 +640,8 @@ */ rz_src = SDL_CreateRGBSurface(SDL_SWSURFACE, src->w, src->h, 32, 0x000000ff, 0x0000ff00, 0x00ff0000, 0xff000000); + if (rz_src == NULL) + return NULL; SDL_BlitSurface(src, NULL, rz_src, NULL); src_converted = 1; is32bit = 1; @@ -702,6 +704,18 @@ rz_dst = SDL_CreateRGBSurface(SDL_SWSURFACE, dstwidth, dstheight, 8, 0, 0, 0, 0); } + /* + * Bail if we were unable to allocate the zoomed surface + */ + if (rz_dst == NULL) { + /* + * Free the converted source surface if necessary + */ + if (src_converted) + SDL_FreeSurface(rz_src); + return NULL; + } + /* * Lock source surface */ @@ -774,6 +788,18 @@ rz_dst = SDL_CreateRGBSurface(SDL_SWSURFACE, dstwidth, dstheight, 8, 0, 0, 0, 0); } + /* + * Bail if we were unable to allocate the zoomed surface + */ + if (rz_dst == NULL) { + /* + * Free the converted source surface if necessary + */ + if (src_converted) + SDL_FreeSurface(rz_src); + return NULL; + } + /* * Lock source surface */ @@ -892,6 +918,8 @@ */ rz_src = SDL_CreateRGBSurface(SDL_SWSURFACE, src->w, src->h, 32, 0x000000ff, 0x0000ff00, 0x00ff0000, 0xff000000); + if (rz_src == NULL) + return NULL; SDL_BlitSurface(src, NULL, rz_src, NULL); src_converted = 1; is32bit = 1; @@ -925,6 +953,18 @@ } /* + * Bail if we were unable to allocate the zoomed surface + */ + if (rz_dst == NULL) { + /* + * Free the converted source surface if necessary + */ + if (src_converted) + SDL_FreeSurface(rz_src); + return NULL; + } + + /* * Lock source surface */ SDL_LockSurface(rz_src);