eden-emu/SDL
15
0
Fork 0
mirror of https://github.com/libsdl-org/SDL.git synced 2025-05-30 08:27:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Check for device disconnection in HIDAPI_JoystickOpen()

Browse source 
HIDAPI joystick drivers may call HIDAPI_JoystickDisconnected() in their
UpdateDevice() function during HIDAPI_JoystickOpen(). If they do this
today, the opened joystick will end up partially initialized (no name,
path, mapping GUID, etc.) because HIDAPI_GetDeviceByIndex() will no
longer be able to find the SDL_HIDAPI_Device for the removed joystick.

Worse still, joystick->hwdata->device becomes a dangling freed pointer
the next time HIDAPI_UpdateDeviceList() is called. This leads to a UAF
when the application or SDL calls SDL_JoystickClose() on this joystick.

Fix all this by checking if the device no longer has any associated
joysticks after calling UpdateDevice() and failing the open call if so.
This commit is contained in:
Cameron Gutman 2023-10-17 21:41:30 -05:00
parent b733adb503
commit 435e7ce663
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/joystick/hidapi/SDL_hidapijoystick.c
View file

@ -1440,6 +1440,12 @@ static int HIDAPI_JoystickOpen(SDL_Joystick *joystick, int device_index)
device->updating = SDL_FALSE;
SDL_UnlockMutex(device->dev_lock);
/* UpdateDevice() may have called HIDAPI_JoystickDisconnected() if the device went away */
if (device->num_joysticks == 0) {
SDL_free(hwdata);
return SDL_SetError("HIDAPI device disconnected while opening");
}
if (!device->driver->OpenJoystick(device, joystick)) {
/* The open failed, mark this device as disconnected and update devices */
HIDAPI_JoystickDisconnected(device, joystickID);