Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A USE AFTER FREE BUG #863

Closed
ash1852 opened this issue Jun 18, 2022 · 3 comments
Closed

A USE AFTER FREE BUG #863

ash1852 opened this issue Jun 18, 2022 · 3 comments

Comments

@ash1852
Copy link

ash1852 commented Jun 18, 2022

Hi, I found a potential memory leak bug in the project source code of libsdl, I have shown the execution sequence of the program that may generate the bug on a diagram which is shown below.
The text in red illustrates the steps that generate the bug
The red arrows represent call relationships
The green text illustrates the files and functions whose code snippets are located below the green text.
1655522082614

the code snippet related to libsdl of this bug is shown below:

if ( hwdata->image != NULL && hwdata->image->pitches[0] != (width*bpp) ) {
/* Ajust overlay width according to pitch */
XFree(hwdata->image);
width = hwdata->image->pitches[0] / bpp;
hwdata->image = SDL_NAME(XvCreateImage)(GFX_Display, xv_port, format,
0, width, height);
}

I look forward to your reply and thank you very much for your patience!

@sezero
Copy link
Collaborator

sezero commented Jun 18, 2022

Fix would simply be moving XFree() a line below: @icculus, @slouken?

diff --git a/src/video/x11/SDL_x11yuv.c b/src/video/x11/SDL_x11yuv.c
index 62698df..0d5754e 100644
--- a/src/video/x11/SDL_x11yuv.c
+++ b/src/video/x11/SDL_x11yuv.c
@@ -374,8 +374,8 @@ SDL_Overlay *X11_CreateYUVOverlay(_THIS, int width, int height, Uint32 format, S
 #ifdef PITCH_WORKAROUND
 		if ( hwdata->image != NULL && hwdata->image->pitches[0] != (width*bpp) ) {
 			/* Ajust overlay width according to pitch */ 
-			XFree(hwdata->image);
 			width = hwdata->image->pitches[0] / bpp;
+			XFree(hwdata->image);
 			hwdata->image = SDL_NAME(XvCreateImage)(GFX_Display, xv_port, format,
 								0, width, height);
 		}

@slouken
Copy link
Collaborator

slouken commented Jun 18, 2022

Yep, go ahead and fix it.

@sezero sezero closed this as completed in d7e0020 Jun 18, 2022
@smcv
Copy link

smcv commented Aug 1, 2022

CVE-2022-34568 has apparently been assigned to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants