ref: befb5f7fb5b7f7d046e0a0b931b1fbfbb31ce06e
parent: 5d12071f17a7f759dd0ec0131bf80dc58e2e448c
author: Gabriel Ravier <gabravier@gmail.com>
date: Mon Jan 6 05:43:28 EST 2020
ScaleAndUploadSurface now doesn't take ownership of the surface it is passed and frees it. This is to correct multiple occurences of use-after-free occuring from use of the passed surface after a call to ScaleAndUploadSurface using it
--- a/src/Draw.cpp
+++ b/src/Draw.cpp
@@ -160,8 +160,6 @@
{SDL_Surface *converted_surface = SDL_ConvertSurfaceFormat(surface, SDL_PIXELFORMAT_RGB24, 0);
- SDL_FreeSurface(surface);
-
if (converted_surface == NULL)
return FALSE;
@@ -243,6 +241,7 @@
if (!ScaleAndUploadSurface(surface, surf_no))
{Backend_FreeSurface(surf[surf_no]);
+ SDL_FreeSurface(surface);
return FALSE;
}
@@ -251,6 +250,7 @@
surface_metadata[surf_no].height = surface->h;
surface_metadata[surf_no].bSystem = FALSE;
strcpy(surface_metadata[surf_no].name, name);
+ SDL_FreeSurface(surface);
return TRUE;
}
@@ -302,6 +302,7 @@
if (!ScaleAndUploadSurface(surface, surf_no))
{Backend_FreeSurface(surf[surf_no]);
+ SDL_FreeSurface(surface);
return FALSE;
}
@@ -310,6 +311,7 @@
surface_metadata[surf_no].height = surface->h;
surface_metadata[surf_no].bSystem = FALSE;
strcpy(surface_metadata[surf_no].name, name);
+ SDL_FreeSurface(surface);
return TRUE;
}
@@ -327,8 +329,13 @@
SDL_Surface *surface = SDL_LoadBMP_RW(fp, 1);
if (!ScaleAndUploadSurface(surface, surf_no))
+ {+ SDL_FreeSurface(surface);
return FALSE;
+ }
+ SDL_FreeSurface(surface);
+
surface_metadata[surf_no].type = SURFACE_SOURCE_RESOURCE;
strcpy(surface_metadata[surf_no].name, name);
@@ -366,8 +373,12 @@
}
if (!ScaleAndUploadSurface(surface, surf_no))
+ {+ SDL_FreeSurface(surface);
return FALSE;
+ }
+ SDL_FreeSurface(surface);
surface_metadata[surf_no].type = SURFACE_SOURCE_FILE;
strcpy(surface_metadata[surf_no].name, name);
--
⑨