Bug#733015: [libsdl2-2.0-0] SDL2 X11 driver buffer overflow with large X11 file descriptor

Sven Eckelmann sven at narfation.org
Mon Dec 23 23:43:13 UTC 2013 

Package: libsdl2-2.0-0
Version: 2.0.0+dfsg1-3
Severity: normal
Tags: patch

I have occasional crashes here caused by the X11 backend of SDL2. It seems to 
be caused by the X11_Pending function trying to add a high number (> 1024) 
file descriptor to a fd_set before doing a select on it to avoid busy waiting 
on X11 events. This causes a buffer overflow because the file descriptor is 
larger (or equal) than the limit FD_SETSIZE.

Attached is a possible workaround patch.

Please also keep in mind that fd_set are also used in following files which 
may have similar problems.

src/audio/bsd/SDL_bsdaudio.c
src/audio/paudio/SDL_paudio.c
src/audio/qsa/SDL_qsa_audio.c
src/audio/sun/SDL_sunaudio.c
src/joystick/linux/SDL_sysjoystick.c


--- System information. ---
Architecture: amd64
Kernel:       Linux 3.11-2-amd64

Debian Release: jessie/sid
  500 unstable        http.debian.net 
    1 unstable        www.deb-multimedia.org 

--- Package information. ---
Depends                  (Version) | Installed
==================================-+-==================
libasound2             (>= 1.0.16) | 
libc6                    (>= 2.15) | 
libpulse0              (>= 0.99.1) | 
libts-0.0-0               (>= 1.0) | 
libx11-6         (>= 2:1.2.99.901) | 
libxcursor1             (>> 1.1.2) | 
libxext6                           | 
libxi6             (>= 2:1.2.99.4) | 
libxinerama1                       | 
libxrandr2            (>= 2:1.2.0) | 
libxss1                            | 
libxxf86vm1                        | 


Package's Recommends field is empty.

Package's Suggests field is empty.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: buffer_overflow_fdset.patch
Type: text/x-patch
Size: 938 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-sdl-maintainers/attachments/20131224/633abf66/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-sdl-maintainers/attachments/20131224/633abf66/attachment.sig>

More information about the Pkg-sdl-maintainers mailing list