Fixed bug 2330 - Debian bug report: SDL2 X11 driver buffer overflow with large X11 file descriptor

manuel.montezelo Original bug report (note that it was against 2.0.0, it might have been fixed in between): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733015 -------------------------------------------------------- Package: libsdl2-2.0-0 Version: 2.0.0+dfsg1-3 Severity: normal Tags: patch I have occasional crashes here caused by the X11 backend of SDL2. It seems to be caused by the X11_Pending function trying to add a high number (> 1024) file descriptor to a fd_set before doing a select on it to avoid busy waiting on X11 events. This causes a buffer overflow because the file descriptor is larger (or equal) than the limit FD_SETSIZE. Attached is a possible workaround patch. Please also keep in mind that fd_set are also used in following files which may have similar problems. src/audio/bsd/SDL_bsdaudio.c src/audio/paudio/SDL_paudio.c src/audio/qsa/SDL_qsa_audio.c src/audio/sun/SDL_sunaudio.c src/joystick/linux/SDL_sysjoystick.c -------------------------------------------------------- On Tuesday 24 December 2013 00:43:13 Sven Eckelmann wrote: > I have occasional crashes here caused by the X11 backend of SDL2. It seems > to be caused by the X11_Pending function trying to add a high number (> > 1024) file descriptor to a fd_set before doing a select on it to avoid busy > waiting on X11 events. This causes a buffer overflow because the file > descriptor is larger (or equal) than the limit FD_SETSIZE. I personally experienced this problem while hacking on the python bindings package for SDL2 [1] (while doing make runtest). But it easier to reproduce in a smaller, synthetic testcase.
2025-12-09 21:47:44 +00:00 · 2017-08-14 20:22:19 -07:00
parent 9451cd81ae
commit fb835f9e3b
18 changed files with 63 additions and 144 deletions
--- a/4
+++ b/4
@@ -16631,7 +16631,7 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi

-    for ac_func in malloc calloc realloc free getenv setenv putenv unsetenv qsort abs bcopy memset memcpy memmove wcslen wcslcpy wcslcat wcscmp strlen strlcpy strlcat strdup _strrev _strupr _strlwr strchr strrchr strstr itoa _ltoa _uitoa _ultoa strtol strtoul _i64toa _ui64toa strtoll strtoull atoi atof strcmp strncmp _stricmp strcasecmp _strnicmp strncasecmp vsscanf vsnprintf fopen64 fseeko fseeko64 sigaction setjmp nanosleep sysconf sysctlbyname getauxval
+    for ac_func in malloc calloc realloc free getenv setenv putenv unsetenv qsort abs bcopy memset memcpy memmove wcslen wcslcpy wcslcat wcscmp strlen strlcpy strlcat strdup _strrev _strupr _strlwr strchr strrchr strstr itoa _ltoa _uitoa _ultoa strtol strtoul _i64toa _ui64toa strtoll strtoull atoi atof strcmp strncmp _stricmp strcasecmp _strnicmp strncasecmp vsscanf vsnprintf fopen64 fseeko fseeko64 sigaction setjmp nanosleep sysconf sysctlbyname getauxval poll
 do :
  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -23771,6 +23771,8 @@ $as_echo "#define SDL_TIMER_UNIX 1" >>confdefs.h
        if test x$use_input_events = xyes; then
            SOURCES="$SOURCES $srcdir/src/core/linux/SDL_evdev*.c"
        fi
+        # Set up other core UNIX files
+        SOURCES="$SOURCES $srcdir/src/core/unix/*.c"
        ;;
    *-*-cygwin* | *-*-mingw32*)
        ARCH=win32