From 2cb9a4fcc14121305e9a0975ded67bc67a66ae57 Mon Sep 17 00:00:00 2001 From: Eddy Jansson Date: Thu, 4 Dec 2025 20:43:30 +0100 Subject: [PATCH] log: Fix unlikely out-of-bounds issue. In the unlikely case that the overflow check should fail, the else clause would switch to the truncated stack message without updating the len variable. This would contain the return value from vsnprintf(), meaning it could point beyond the buffer. The subsequent code which trims NL and CR from the buffer, would then read -- and possibly write -- out-of-bounds. To fix this, we split the two joint conditions into separate if-clauses, and adjust the len variable in the case where we know the message buffer was truncated. --- src/SDL_log.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/SDL_log.c b/src/SDL_log.c index ae39c0b7da..d9b9733dc9 100644 --- a/src/SDL_log.c +++ b/src/SDL_log.c @@ -612,15 +612,21 @@ void SDL_LogMessageV(int category, SDL_LogPriority priority, SDL_PRINTF_FORMAT_S } // If message truncated, allocate and re-render - if (len >= sizeof(stack_buf) && SDL_size_add_check_overflow(len, 1, &len_plus_term)) { - // Allocate exactly what we need, including the zero-terminator - message = (char *)SDL_malloc(len_plus_term); - if (!message) { - return; + if (len >= sizeof(stack_buf)) { + if (SDL_size_add_check_overflow(len, 1, &len_plus_term)) { + // Allocate exactly what we need, including the zero-terminator + message = (char *)SDL_malloc(len_plus_term); + if (!message) { + return; + } + va_copy(aq, ap); + len = SDL_vsnprintf(message, len_plus_term, fmt, aq); + va_end(aq); + } else { + // Allocation would overflow, use truncated message + message = stack_buf; + len = sizeof(stack_buf); } - va_copy(aq, ap); - len = SDL_vsnprintf(message, len_plus_term, fmt, aq); - va_end(aq); } else { message = stack_buf; }