From 07f995eb72091c32e856d069ef499b23f5d2cef0 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <[EMAIL REDACTED]>
Date: Sat, 15 Nov 2025 08:37:06 -0800
Subject: [PATCH] Passing NULL path to SDL_OpenFileStorage() gives access to
the whole filesystem
---
src/storage/generic/SDL_genericstorage.c | 44 +++++++++++-------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/src/storage/generic/SDL_genericstorage.c b/src/storage/generic/SDL_genericstorage.c
index f03e7c4739712..8ba423191c95d 100644
--- a/src/storage/generic/SDL_genericstorage.c
+++ b/src/storage/generic/SDL_genericstorage.c
@@ -345,21 +345,22 @@ SDL_Storage *GENERIC_OpenFileStorage(const char *path)
char *prepend = NULL;
bool is_absolute = false;
- if (path && !*path) {
- path = NULL; // so we don't end up with str[-1] later due to empty string.
- }
-
- if (path) {
- #ifdef SDL_PLATFORM_WINDOWS
- const char ch = (char) SDL_toupper(path[0]);
- is_absolute = (ch == '/') || // some sort of absolute Unix-style path.
- (ch == '\\') || // some sort of absolute Windows-style path.
- (((ch >= 'A') && (ch <= 'Z')) && (path[1] == ':') && ((path[2] == '\\') || (path[2] == '/'))); // an absolute path with a drive letter.
- #else
- is_absolute = (path[0] == '/'); // some sort of absolute Unix-style path.
- #endif
+ if (!path || !*path) {
+#ifdef SDL_PLATFORM_WINDOWS
+ path = "C:/";
+#else
+ path = "/";
+#endif
}
+#ifdef SDL_PLATFORM_WINDOWS
+ const char ch = (char) SDL_toupper(path[0]);
+ is_absolute = (ch == '/') || // some sort of absolute Unix-style path.
+ (ch == '\\') || // some sort of absolute Windows-style path.
+ (((ch >= 'A') && (ch <= 'Z')) && (path[1] == ':') && ((path[2] == '\\') || (path[2] == '/'))); // an absolute path with a drive letter.
+#else
+ is_absolute = (path[0] == '/'); // some sort of absolute Unix-style path.
+#endif
if (!is_absolute) {
prepend = SDL_GetCurrentDirectory();
if (!prepend) {
@@ -367,21 +368,18 @@ SDL_Storage *GENERIC_OpenFileStorage(const char *path)
}
}
- const char *finalpath = path ? path : prepend;
- SDL_assert(finalpath != NULL); // _one_ of these had to be non-NULL...
- const size_t len = SDL_strlen(finalpath);
- SDL_assert(len > 0); // _one_ of these had to be non-empty...
+ const size_t len = SDL_strlen(path);
const char *appended_separator = "";
- #ifdef SDL_PLATFORM_WINDOWS
- if ((finalpath[len-1] != '/') && (finalpath[len-1] != '\\')) {
+#ifdef SDL_PLATFORM_WINDOWS
+ if ((path[len-1] != '/') && (path[len-1] != '\\')) {
appended_separator = "/";
}
- #else
- if (finalpath[len-1] != '/') {
+#else
+ if (path[len-1] != '/') {
appended_separator = "/";
}
- #endif
- const int rc = SDL_asprintf(&basepath, "%s%s%s", prepend ? prepend : "", path ? path : "", appended_separator);
+#endif
+ const int rc = SDL_asprintf(&basepath, "%s%s%s", prepend ? prepend : "", path, appended_separator);
SDL_free(prepend);
if (rc < 0) {
return NULL;