Commit Graph

18 Commits

Author SHA1 Message Date
Sam Lantinga
e3cc5b2c6b Updated copyright for 2018 2018-01-03 10:03:25 -08:00
Sam Lantinga
fb835f9e3b Fixed bug 2330 - Debian bug report: SDL2 X11 driver buffer overflow with large X11 file descriptor
manuel.montezelo

Original bug report (note that it was against 2.0.0, it might have been fixed in between):  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733015

--------------------------------------------------------
Package: libsdl2-2.0-0
Version: 2.0.0+dfsg1-3
Severity: normal
Tags: patch

I have occasional crashes here caused by the X11 backend of SDL2. It seems to
be caused by the X11_Pending function trying to add a high number (> 1024)
file descriptor to a fd_set before doing a select on it to avoid busy waiting
on X11 events. This causes a buffer overflow because the file descriptor is
larger (or equal) than the limit FD_SETSIZE.

Attached is a possible workaround patch.

Please also keep in mind that fd_set are also used in following files which
may have similar problems.

src/audio/bsd/SDL_bsdaudio.c
src/audio/paudio/SDL_paudio.c
src/audio/qsa/SDL_qsa_audio.c
src/audio/sun/SDL_sunaudio.c
src/joystick/linux/SDL_sysjoystick.c


--------------------------------------------------------

On Tuesday 24 December 2013 00:43:13 Sven Eckelmann wrote:
> I have occasional crashes here caused by the X11 backend of SDL2. It seems
> to be caused by the X11_Pending function trying to add a high number (>
> 1024) file descriptor to a fd_set before doing a select on it to avoid busy
> waiting on X11 events. This causes a buffer overflow because the file
> descriptor is larger (or equal) than the limit FD_SETSIZE.


I personally experienced this problem while hacking on the python bindings
package for SDL2 [1] (while doing make runtest). But it easier to reproduce in
a smaller, synthetic testcase.
2017-08-14 20:22:19 -07:00
Philipp Wiesemann
68ca9d9ed1 qnx: Fixed error message. 2017-07-29 23:00:45 +02:00
Ryan C. Gordon
03eaddcad4 Fixed compiler warnings on QNX. 2017-07-23 19:25:16 -04:00
Philipp Wiesemann
fb9c2939c2 qnx: Fixed setting a field twice. 2017-07-07 23:00:10 +02:00
Ryan C. Gordon
22241ed0b0 Support for QNX 7.0 (thanks, Elad!).
Fixes Bugzilla #3686.
2017-07-01 17:50:47 -04:00
Philipp Wiesemann
7c5078d8bd qnx: Removed unnecessary check for available audio devices. 2017-05-28 21:50:37 +02:00
Philipp Wiesemann
1e60ea76db qnx: Removed unnecessary call to SDL_zerop() after SDL_calloc(). 2017-05-28 21:50:27 +02:00
Sam Lantinga
45b774e3f7 Updated copyright for 2017 2017-01-01 18:33:28 -08:00
Ryan C. Gordon
f6a280ab7f audio: Don't trust audio drivers to drain pending audio.
This tends to be a frequent spot where drivers hang, and the waits were
often unreliable in any case.

Instead, our audio thread now alerts the driver that we're done streaming audio
(which currently XAudio2 uses to alert the system not to warn about the
impending underflow) and then SDL_Delay()'s for a duration that's reasonable
to drain the DMA buffers before closing the device.
2016-10-07 15:13:46 -04:00
Ryan C. Gordon
9b2a59ef05 audio: Changed OnlyHasDefaultInputDevice to OnlyHasDefaultCaptureDevice. 2016-08-05 02:04:48 -04:00
Ryan C. Gordon
761a79788c audio: changed some SDL_memset() calls to SDL_zero(), other minor corrections. 2016-08-05 01:59:06 -04:00
Ryan C. Gordon
979de761c9 audio: Removed internal SDL_audiomem.h and macros.
I think this was important for SDL 1.2 because some targets needed
special device memory for DMA buffers or locked memory buffers for use in
hardware interrupts or something, but since it just defines to SDL_malloc
and SDL_free now, I took it out for clarity's sake.
2016-08-05 01:44:15 -04:00
Ryan C. Gordon
9b64772775 audio: Clean up some CloseDevice() interface details.
- It's now always called if device->hidden isn't NULL, even if OpenDevice()
  failed halfway through. This lets implementation code not have to clean up
  itself on every possible failure point; just return an error and SDL will
  handle it for you.

- Implementations can assume this->hidden != NULL and not check for it.

- implementations don't have to set this->hidden = NULL when done, because
  the caller is always about to free(this).

- Don't reset other fields that are in a block of memory about to be free()'d.

- Implementations all now free things like internal mix buffers last, after
  closing devices and such, to guarantee they definitely aren't in use anymore
  at the point of deallocation.
2016-08-05 01:44:41 -04:00
Ryan C. Gordon
6d5c9c1e67 audio: Made some SDL_AudioDevice fields atomic.
This makes sure they're properly communicated to the audio threads.
2016-08-02 13:48:52 -04:00
Ryan C. Gordon
67f2538c41 audio: changed some internal ints to be SDL_bools. 2016-08-01 13:32:27 -04:00
Sam Lantinga
42065e785d Updated copyright to 2016 2016-01-02 10:10:34 -08:00
Philipp Wiesemann
0e45984fa0 Fixed crash if initialization of EGL failed but was tried again later.
The internal function SDL_EGL_LoadLibrary() did not delete and remove a mostly
uninitialized data structure if loading the library first failed. A later try to
use EGL then skipped initialization and assumed it was previously successful
because the data structure now already existed. This led to at least one crash
in the internal function SDL_EGL_ChooseConfig() because a NULL pointer was
dereferenced to make a call to eglBindAPI().
2015-06-21 17:33:46 +02:00