shithub: cstory

Download patch

ref: befb5f7fb5b7f7d046e0a0b931b1fbfbb31ce06e
parent: 5d12071f17a7f759dd0ec0131bf80dc58e2e448c
author: Gabriel Ravier <gabravier@gmail.com>
date: Mon Jan 6 05:43:28 EST 2020

ScaleAndUploadSurface now doesn't take ownership of the surface it is passed and frees it. This is to correct multiple occurences of use-after-free occuring from use of the passed surface after a call to ScaleAndUploadSurface using it

--- a/src/Draw.cpp
+++ b/src/Draw.cpp
@@ -160,8 +160,6 @@
 {
 	SDL_Surface *converted_surface = SDL_ConvertSurfaceFormat(surface, SDL_PIXELFORMAT_RGB24, 0);
 
-	SDL_FreeSurface(surface);
-
 	if (converted_surface == NULL)
 		return FALSE;
 
@@ -243,6 +241,7 @@
 	if (!ScaleAndUploadSurface(surface, surf_no))
 	{
 		Backend_FreeSurface(surf[surf_no]);
+		SDL_FreeSurface(surface);
 		return FALSE;
 	}
 
@@ -251,6 +250,7 @@
 	surface_metadata[surf_no].height = surface->h;
 	surface_metadata[surf_no].bSystem = FALSE;
 	strcpy(surface_metadata[surf_no].name, name);
+	SDL_FreeSurface(surface);
 
 	return TRUE;
 }
@@ -302,6 +302,7 @@
 	if (!ScaleAndUploadSurface(surface, surf_no))
 	{
 		Backend_FreeSurface(surf[surf_no]);
+		SDL_FreeSurface(surface);
 		return FALSE;
 	}
 
@@ -310,6 +311,7 @@
 	surface_metadata[surf_no].height = surface->h;
 	surface_metadata[surf_no].bSystem = FALSE;
 	strcpy(surface_metadata[surf_no].name, name);
+	SDL_FreeSurface(surface);
 
 	return TRUE;
 }
@@ -327,8 +329,13 @@
 	SDL_Surface *surface = SDL_LoadBMP_RW(fp, 1);
 
 	if (!ScaleAndUploadSurface(surface, surf_no))
+	{
+		SDL_FreeSurface(surface);
 		return FALSE;
+	}
 
+	SDL_FreeSurface(surface);
+
 	surface_metadata[surf_no].type = SURFACE_SOURCE_RESOURCE;
 	strcpy(surface_metadata[surf_no].name, name);
 
@@ -366,8 +373,12 @@
 	}
 
 	if (!ScaleAndUploadSurface(surface, surf_no))
+	{
+		SDL_FreeSurface(surface);
 		return FALSE;
+	}
 
+	SDL_FreeSurface(surface);
 	surface_metadata[surf_no].type = SURFACE_SOURCE_FILE;
 	strcpy(surface_metadata[surf_no].name, name);
 
--