Date: Sun, 7 Sep 2008 15:17:00 +0200

From: c2woody@gmx.net Subject: [SDL] SDL 1.2 doube free/pointer zeroing missing Hello, this is about a crash/debug breakage for the current SDL 1.2 source tree (today's svn checkout, same problem in 1.2.13 and before as far as relevant). In some places memory is free()d but the associated pointer is not zeroed, leading to for example double free()s. For me this happened because SDL_StopEventThread() was executed twice (during restart of the subsystems), once for the close down in SDL_VideoQuit() and once at the startup, right at the beginning of SDL_StartEventLoop(). Thus the code SDL_DestroyMutex(SDL_EventQ.lock); (see SDL_events.c) was called twice and executed the SDL_free(mutex); twice as well, leading to a crash (msvc 64bit for which it was noticed). I've tried to check all other occurrences of SDL_free and similar code in msvc, see the attached patch (udiff against revision 4082). Non-windows only codepaths have neither been checked nor touched. Comments/ideas welcome. Attached patch: NULLifies some pointers after they have been free()d. --HG-- branch : SDL-1.2 extra : convert_revision : svn%3Ac70aab31-4412-0410-b14c-859654838e24/branches/SDL-1.2%403237

Date: Sun, 7 Sep 2008 15:17:00 +0200
From: c2woody@gmx.net Subject: [SDL] SDL 1.2 doube free/pointer zeroing missing Hello, this is about a crash/debug breakage for the current SDL 1.2 source tree (today's svn checkout, same problem in 1.2.13 and before as far as relevant). In some places memory is free()d but the associated pointer is not zeroed, leading to for example double free()s. For me this happened because SDL_StopEventThread() was executed twice (during restart of the subsystems), once for the close down in SDL_VideoQuit() and once at the startup, right at the beginning of SDL_StartEventLoop(). Thus the code SDL_DestroyMutex(SDL_EventQ.lock); (see SDL_events.c) was called twice and executed the SDL_free(mutex); twice as well, leading to a crash (msvc 64bit for which it was noticed). I've tried to check all other occurrences of SDL_free and similar code in msvc, see the attached patch (udiff against revision 4082). Non-windows only codepaths have neither been checked nor touched. Comments/ideas welcome. Attached patch: NULLifies some pointers after they have been free()d. --HG-- branch : SDL-1.2 extra : convert_revision : svn%3Ac70aab31-4412-0410-b14c-859654838e24/branches/SDL-1.2%403237
3e3345c7 · Sam Lantinga · 94a4eda4 · 3e3345c7 · 3e3345c7 · 3e3345c7
Commit 3e3345c7 authored Nov 12, 2008 by Sam Lantinga
6 changed files
--- a/src/audio/SDL_wave.c
+++ b/src/audio/SDL_wave.c
@@ -440,6 +440,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
 	do {
 		if ( chunk.data != NULL ) {
 			SDL_free(chunk.data);
+			chunk.data = NULL;
 		}
 		lenread = ReadChunk(src, &chunk);
 		if ( lenread < 0 ) {
@@ -522,6 +523,7 @@ SDL_AudioSpec * SDL_LoadWAV_RW (SDL_RWops *src, int freesrc,
 	do {
 		if ( *audio_buf != NULL ) {
 			SDL_free(*audio_buf);
+			*audio_buf = NULL;
 		}
 		lenread = ReadChunk(src, &chunk);
 		if ( lenread < 0 ) {
@@ -591,6 +593,7 @@ static int ReadChunk(SDL_RWops *src, Chunk *chunk)
 	if ( SDL_RWread(src, chunk->data, chunk->length, 1) != 1 ) {
 		SDL_Error(SDL_EFREAD);
 		SDL_free(chunk->data);
+		chunk->data = NULL;
 		return(-1);
 	}
 	return(chunk->length);

--- a/src/cdrom/win32/SDL_syscdrom.c
+++ b/src/cdrom/win32/SDL_syscdrom.c
@@ -377,6 +377,7 @@ void SDL_SYS_CDQuit(void)
 	if ( SDL_numcds > 0 ) {
 		for ( i=0; i<SDL_numcds; ++i ) {
 			SDL_free(SDL_cdlist[i]);
+			SDL_cdlist[i] = NULL;
 		}
 		SDL_numcds = 0;
 	}

--- a/src/events/SDL_events.c
+++ b/src/events/SDL_events.c
@@ -191,9 +191,11 @@ static void SDL_StopEventThread(void)
 		SDL_WaitThread(SDL_EventThread, NULL);
 		SDL_EventThread = NULL;
 		SDL_DestroyMutex(SDL_EventLock.lock);
+		SDL_EventLock.lock = NULL;
 	}
 #ifndef IPOD
 	SDL_DestroyMutex(SDL_EventQ.lock);
+	SDL_EventQ.lock = NULL;
 #endif
 }

--- a/src/joystick/win32/SDL_mmjoystick.c
+++ b/src/joystick/win32/SDL_mmjoystick.c
@@ -344,6 +344,7 @@ void SDL_SYS_JoystickClose(SDL_Joystick *joystick)
 	if (joystick->hwdata != NULL) {
 		/* free system specific hardware data */
 		SDL_free(joystick->hwdata);
+		joystick->hwdata = NULL;
 	}
 }
@@ -354,6 +355,7 @@ void SDL_SYS_JoystickQuit(void)
 	for (i = 0; i < MAX_JOYSTICKS; i++) {
 		if ( SYS_JoystickName[i] != NULL ) {
 			SDL_free(SYS_JoystickName[i]);
+			SYS_JoystickName[i] = NULL;
 		}
 	}
 }

--- a/src/video/SDL_yuv_sw.c
+++ b/src/video/SDL_yuv_sw.c
@@ -1294,5 +1294,6 @@ void SDL_FreeYUV_SW(_THIS, SDL_Overlay *overlay)
 			SDL_free(swdata->rgb_2_pix);
 		}
 		SDL_free(swdata);
+		overlay->hwdata = NULL;
 	}
 }
--- a/src/video/windx5/SDL_dx5yuv.c
+++ b/src/video/windx5/SDL_dx5yuv.c
@@ -290,6 +290,7 @@ void DX5_FreeYUVOverlay(_THIS, SDL_Overlay *overlay)
 			IDirectDrawSurface_Release(hwdata->surface);
 		}
 		SDL_free(hwdata);
+		overlay->hwdata = NULL;
 	}
 }