Prevent crashes if freed objects are passed to SDL API functions

Instead of using the magic tag in the object, we'll actually keep track of valid objects Fixes https://github.com/libsdl-org/SDL/issues/9869 Fixes https://github.com/libsdl-org/SDL/issues/9235
2025-09-30 15:08:31 +00:00 · 2024-06-03 04:09:28 -07:00
parent 57a15933cd
commit b0e93e4e63
28 changed files with 191 additions and 126 deletions
--- a/src/sensor/SDL_sensor.c
+++ b/src/sensor/SDL_sensor.c
@@ -56,13 +56,12 @@ static SDL_AtomicInt SDL_sensor_lock_pending;
 static int SDL_sensors_locked;
 static SDL_bool SDL_sensors_initialized;
 static SDL_Sensor *SDL_sensors SDL_GUARDED_BY(SDL_sensor_lock) = NULL;
-static char SDL_sensor_magic;

-#define CHECK_SENSOR_MAGIC(sensor, retval)              \
-    if (!sensor || sensor->magic != &SDL_sensor_magic) { \
-        SDL_InvalidParamError("sensor");                \
-        SDL_UnlockSensors();                            \
-        return retval;                                  \
+#define CHECK_SENSOR_MAGIC(sensor, retval)                  \
+    if (!SDL_ObjectValid(sensor, SDL_OBJECT_TYPE_SENSOR)) { \
+        SDL_InvalidParamError("sensor");                    \
+        SDL_UnlockSensors();                                \
+        return retval;                                      \
    }

 SDL_bool SDL_SensorsInitialized(void)
@@ -327,13 +326,14 @@ SDL_Sensor *SDL_OpenSensor(SDL_SensorID instance_id)
        SDL_UnlockSensors();
        return NULL;
    }
-    sensor->magic = &SDL_sensor_magic;
+    SDL_SetObjectValid(sensor, SDL_OBJECT_TYPE_SENSOR, SDL_TRUE);
    sensor->driver = driver;
    sensor->instance_id = instance_id;
    sensor->type = driver->GetDeviceType(device_index);
    sensor->non_portable_type = driver->GetDeviceNonPortableType(device_index);

    if (driver->Open(sensor, device_index) < 0) {
+        SDL_SetObjectValid(sensor, SDL_OBJECT_TYPE_SENSOR, SDL_FALSE);
        SDL_free(sensor);
        SDL_UnlockSensors();
        return NULL;
@@ -508,6 +508,7 @@ void SDL_CloseSensor(SDL_Sensor *sensor)

        sensor->driver->Close(sensor);
        sensor->hwdata = NULL;
+        SDL_SetObjectValid(sensor, SDL_OBJECT_TYPE_SENSOR, SDL_FALSE);

        sensorlist = SDL_sensors;
        sensorlistprev = NULL;
--- a/src/sensor/SDL_syssensor.h
+++ b/src/sensor/SDL_syssensor.h
@@ -32,8 +32,6 @@
 /* The SDL sensor structure */
 struct SDL_Sensor
 {
-    const void *magic _guarded;
-
    SDL_SensorID instance_id _guarded;   /* Device instance, monotonically increasing from 0 */
    char *name _guarded;                 /* Sensor name - system dependent */
    SDL_SensorType type _guarded;        /* Type of the sensor */