SDL: Fix buffer overflow in SDL_LoadFunction()

flathub · Sep 11, 2024 · 6443e38 · 6443e38
1 parent a4a03d7
commit 6443e38
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/SDL/SDL-1.2.15.json b/SDL/SDL-1.2.15.json
@@ -25,6 +25,10 @@
             "type": "patch",
             "path": "sdl-check-for-SDL_VIDEO_X11_BACKINGSTORE.patch"
         },
+        {
+            "type": "patch",
+            "path": "sdl-sysloadso-buffer-length.patch"
+        },
         {
             "type": "script",
             "dest-filename": "autogen.sh",

diff --git a/SDL/sdl-sysloadso-buffer-length.patch b/SDL/sdl-sysloadso-buffer-length.patch
@@ -0,0 +1,27 @@
+Origin: https://github.com/libsdl-org/SDL-1.2/commit/447ec3d2c360902aa648bec44b612a040248871e
+From: Ozkan Sezer <sezeroz@gmail.com>
+Description: loadso, dlsym, SDL_LoadFunction: cleanup the underscored name path.
+ - strlcpy was passed a wrong buffer length parameter. has worked so
+   far by luck.
+ - use memcpy instead of strlcpy for simplicity.
+ - 'append' has been a typo: should be 'prepend'.
+diff --git a/src/loadso/dlopen/SDL_sysloadso.c b/src/loadso/dlopen/SDL_sysloadso.c
+index 7985ee7f9..56331a1f0 100644
+--- a/src/loadso/dlopen/SDL_sysloadso.c
++++ b/src/loadso/dlopen/SDL_sysloadso.c
+@@ -45,11 +45,11 @@ void *SDL_LoadFunction(void *handle, const char *name)
+ {
+ 	void *symbol = dlsym(handle, name);
+ 	if ( symbol == NULL ) {
+-		/* append an underscore for platforms that need that. */
+-		size_t len = 1+SDL_strlen(name)+1;
+-		char *_name = SDL_stack_alloc(char, len);
++		/* prepend an underscore for platforms that need that. */
++		size_t len = SDL_strlen(name)+1;
++		char *_name = SDL_stack_alloc(char, len+1);
+ 		_name[0] = '_';
+-		SDL_strlcpy(&_name[1], name, len);
++		SDL_memcpy(&_name[1], name, len);
+ 		symbol = dlsym(handle, _name);
+ 		SDL_stack_free(_name);
+ 		if ( symbol == NULL ) {