Problems allocating large surfaces

Hi,

There are problems when allocating large surfaces using
SDL_CreateRGBSurface.

When, for example, we try to allocate a surface wider than 16384 pixels,
the calculation of the pitch overflows; this leads to a surface that
has the w and h flags correctly set, but whose “pixels” buffer is too
small. That may lead to heap corruption.

SDL_Surface * SDL_CreateRGBSurface (Uint32 flags,
int width, int height, int depth,
Uint32 Rmask, Uint32 Gmask, Uint32 Bmask,
Uint32 Amask)
{
(…)
surface->w = width;
surface->h = height;
surface->pitch = SDL_CalculatePitch(surface);
(…)
surface->pixels = malloc(surface->h*surface->pitch);
(…)
}

Uint16 SDL_CalculatePitch(SDL_Surface *surface)
{
Uint16 pitch;

     /* Surface should be 4-byte aligned for speed */
     pitch = surface->w*surface->format->BytesPerPixel;

(...)

}

Of course, it may seem, at a first glance, a little pointless to
allocate such wide surfaces. However, one may consider a SDL application
is using SDL_ttf to display a string the user typed. As SDL_ttf
allocates a SDL surface as wide as necessary, there may be severe issues
if the user typed a too long string. Especially in a multiplayer setup,
where this may be a security issue.

I suggest SDL_CreateRGBSurface returning a NULL surface if width, or
height, are bigger than a given size.

Cheers,
Ayin–
Battle for Wesnoth – www.wesnoth.org

Hi,

There are problems when allocating large surfaces using
SDL_CreateRGBSurface.

When, for example, we try to allocate a surface wider than 16384 pixels,
the calculation of the pitch overflows; this leads to a surface that
has the w and h flags correctly set, but whose “pixels” buffer is too
small. That may lead to heap corruption.

Thanks, I’ve put in a check and return a NULL surface if that happens.

See ya,
-Sam Lantinga, Software Engineer, Blizzard Entertainment