Commit Graph

5 Commits (d03409e118785c0a7135173ff4492a0c9d45799d)

Author SHA1 Message Date
Sam Lantinga 1da252c2d8 Fixed crash in bug 3367 - RGBA_FROM_PIXEL macro can't handle SDL_PIXELFORMAT_ARGB2101010
Simon Hug

The RGBA_FROM_PIXEL macro in src/video/blit.h [1] is not designed to work with more than 8 bits per channel and the ARGB2101010 format makes it read outside of the array bounds causing access violations. This can happen during blitting with the BlitNtoNPixelAlpha and SDL_Blit_Slow functions.

When SDL_InitFormat tries to calculate the loss of the channels [2], the Uint8 will wrap around and it will end up at 254 for the 10-bit channels. Clearly way over the 9 entries of the SDL_expand_byte array. (Not that a signed integer would help.) Then the macro tries to access the lookup table with the channel value which could be up to 1023. If the previous indirection didn't cause an access violation this one will.

I guess it's not worth modifying this macro for a format that only a few will use. It will only make the other blitters slower. I don't have good ideas to solve this issue.

Attached is a test case that does three blits. A copy one that work and the two that use the functions mentioned above.

[1] https://hg.libsdl.org/SDL/file/cd1994d4f3c6/src/video/SDL_blit.h#l303
[2] https://hg.libsdl.org/SDL/file/cd1994d4f3c6/src/video/SDL_pixels.c#l540
2017-08-11 18:56:41 -07:00
Sam Lantinga 45b774e3f7 Updated copyright for 2017 2017-01-01 18:33:28 -08:00
Sam Lantinga 49225f5f04 We don't currently support blitting to < 8 bpp surfaces, return an error instead of corrupting memory in that case. 2016-12-31 18:11:19 -08:00
Sam Lantinga 42065e785d Updated copyright to 2016 2016-01-02 10:10:34 -08:00
Philipp Wiesemann 0e45984fa0 Fixed crash if initialization of EGL failed but was tried again later.
The internal function SDL_EGL_LoadLibrary() did not delete and remove a mostly
uninitialized data structure if loading the library first failed. A later try to
use EGL then skipped initialization and assumed it was previously successful
because the data structure now already existed. This led to at least one crash
in the internal function SDL_EGL_ChooseConfig() because a NULL pointer was
dereferenced to make a call to eglBindAPI().
2015-06-21 17:33:46 +02:00