search

libsdl-org / SDL-1.2

Simple Directmedia Layer, 1.2 branch ... ***DEPRECATED***, please use https://github.com/libsdl-org/SDL for new projects!
https://libsdl.org
GNU Lesser General Public License v2.1
98 stars 81 forks source link

A USE AFTER FREE BUG #863

Closed ash1852 closed 2 years ago

ash1852 commented 2 years ago

Hi, I found a potential memory leak bug in the project source code of libsdl, I have shown the execution sequence of the program that may generate the bug on a diagram which is shown below. The text in red illustrates the steps that generate the bug The red arrows represent call relationships The green text illustrates the files and functions whose code snippets are located below the green text. 1655522082614

the code snippet related to libsdl of this bug is shown below: https://github.com/libsdl-org/SDL-1.2/blob/e1c3a1aa5b6e56e78bc1405f64a9bd7d952614b1/src/video/x11/SDL_x11yuv.c#L375-L381

I look forward to your reply and thank you very much for your patience!

sezero commented 2 years ago

Fix would simply be moving XFree() a line below: @icculus, @slouken?

diff --git a/src/video/x11/SDL_x11yuv.c b/src/video/x11/SDL_x11yuv.c
index 62698df..0d5754e 100644
--- a/src/video/x11/SDL_x11yuv.c
+++ b/src/video/x11/SDL_x11yuv.c
@@ -374,8 +374,8 @@ SDL_Overlay *X11_CreateYUVOverlay(_THIS, int width, int height, Uint32 format, S
 #ifdef PITCH_WORKAROUND
        if ( hwdata->image != NULL && hwdata->image->pitches[0] != (width*bpp) ) {
            /* Ajust overlay width according to pitch */ 
-           XFree(hwdata->image);
            width = hwdata->image->pitches[0] / bpp;
+           XFree(hwdata->image);
            hwdata->image = SDL_NAME(XvCreateImage)(GFX_Display, xv_port, format,
                                0, width, height);
        }
slouken commented 2 years ago

Yep, go ahead and fix it.

smcv commented 2 years ago

CVE-2022-34568 has apparently been assigned to this.