The change makes sure that SDL_vsnprintf() nul terminates if it is
using _vsnprintf() for the job.
I made this patch for Watcom, whose _vsnprintf() doesn't guarantee
nul termination. The preprocessor check can be extended to windows
in general too, if required.
Closes bug #3769.
Like other C runtimes, it should probably produce the string "(null)".
This bug probably only affected Windows, as most platforms use their standard
C runtime's snprintf().
Tristan
The internal SDL_vsnprintf implementation accesses memory outside buffer. The bug existed also inside the format (%) processing, which was fixed with Bug 3441.
But there is still an invalid access, if we do not have any format inside the source string and the destination string is shorter than the format string. You can use any string for this test, as long it is longer than the buffer.
Example:
va_list argList;
char buffer[4];
SDL_vsnprintf(buffer, sizeof(buffer), "Testing", argList);
The bug is located on the 'else' branch of the format char test:
while (*fmt) {
if (*fmt == '%') {
...
} else {
if (left > 1) {
*text = *fmt;
--left;
}
++fmt;
++text;
}
}
if (left > 0) {
*text = '\0';
}
As you can see that text is always incremented, even when left is already one. When then on the last lines, *text is assigned the NULL char, the pointer is located outside bounds.
Fixes Bugzilla #3441.
"When using internal SDL_vsnprintf(), and source string length is greater
than destination, the final NULL char will be written beyond destination size.
Primary issue that is SDL_strlcpy returns length of source string
(SDL_PrintString()), not how much is written to destination. The destination
ptr is then incremented by this length before the sanity check is done.
Destination string is properly terminated, but an extra NULL char will be
written beyond destination buffer length.
Patch used internally is attached which fixes primary issue with SDL_strlcpy()
in SDL_PrintString() and adjusts sanity checks to increment destination ptr
safely."
This is a little macro magic to use malloc() directly instead of SDL_malloc(),
etc, so static analysis tests that know about the C runtime can function
properly, and understand that we are dealing with heap allocations, etc.
This changed our static analysis report from 5 outstanding bugs to 30.
5x as many bugs were hidden by SDL_malloc() not being recognized as malloc()
by the static analyzer!
sfalexrog
On systems with vsnprintf call SDL_SetError fails when passed a NULL as an argument. SDL's implementation checks for NULL (as seen in the commit: https://hg.libsdl.org/SDL/rev/5ba49d7a39a0), but system implementation may crash.
Some more recent compilers emit SSE aligned store instructions for the loop,
causing crashes if the destination buffer isn't aligned on a 32-bit boundary.
This would also crash on platforms like ARM that require aligned stores.
This fixes a crash inside SDL_FillRect that happens with the official x64 mingw
build.
--HG--
extra : rebase_source : afd0f856fd814e7345bd0c7d20ddac3ba0422813
pjz
SDL_ltoa(-2147483648,s,10) only returns "-" because there is a bug in the code:
if ( value < 0 ) {
*bufp++ = '-';
value = -value;
}
but -(-2147483648) is still -2147483648 (0x80000000) as signed int (or long), so the following loop doesn't run at all. Similar bug are also in SDL_lltoa.
BTW, there is no sanity check for radix.
norfanin
When SDL_vsnprintf handles the %x format specifier, a boolean is set to signal forced lower case. It also should be able to signal forced upper case for the %X specifier. A boolean is not sufficient anymore. The attached patch adds an enum for the three cases: lower, upper and no change.
Having the SDL functions inline is causing build issues, and in the case of malloc(), etc. causing malloc/free mismatches, if the application build environment differs from the SDL build environment.
In the interest of safety and consistency, the functions will always be in the SDL library and will only be redirected to the C library there, if they are available.
See the following threads on the SDL mailing list for the gruesome details:
* SDL_stdinc.h inlines problematic when application not compiled in exact same feature environment
* Error compiling program against SDL2 with -std=c++11 g++ flag
All SDL_* functions are always available as real symbols, so you can always
link against them as a stable ABI. By default, however, all the things that
might have dithered down to macros in your application are now force-inlined,
to give you the same effect as before and theoretically better performance,
but still solve the classic macro problems.
Elsewhere, we provide real functions for these things that simply wrap the
inline functions, in case one needs to have a real function available.
Also: this exposed bugs: SDL_abs() does something different if you had the
macro vs the libc function, SDL_memcpy() returns a void* in the function
but not the macro, etc.
