Skip to content

Null pointer derefrence in GuiLoadStyleDefault function #514

New issue
New issue
Open
Open
Null pointer derefrence in GuiLoadStyleDefault function#514
@lgdt-mem-takeover

Description

@lgdt-mem-takeover
lgdt-mem-takeover
opened on Oct 25, 2025

Hey, apologies if there is some template for reporting that I am not using ( haven't seen an obvious link to one ). The GuiLoadStyleDefault segfaulted on me when using my custom allocator, and I noticed that the function uses RAYGUI_FREE() ( which uses free() from stdlib I assume).

if (guiFont.texture.id != GetFontDefault().texture.id)
    {
        // Unload previous font texture
        UnloadTexture(guiFont.texture);
	RAYGUI_FREE(guiFont.recs);
	RAYGUI_FREE(guiFont.glyphs);
        guiFont.recs = NULL;
        guiFont.glyphs = NULL;

        // Setup default raylib font
        guiFont = GetFontDefault();

        // NOTE: Default raylib font character 95 is a white square
        Rectangle whiteChar = guiFont.recs[95];

        // NOTE: We set up a 1px padding on char rectangle to avoid pixel bleeding on MSAA filtering
        SetShapesTexture(guiFont.texture, RAYGUI_CLITERAL(Rectangle){ whiteChar.x + 1, whiteChar.y + 1, whiteChar.width - 2, whiteChar.height - 2 });
    }

I am not sure how free() handles it, but if a pointer is NULL already, you shouldn't be allowed to free it again. My allocator does store some metadata at the base of the pointer, so when I try to access it, that will obviously also not work, if it's NULL. Regardless, this is basically a double free so I just guarded it.


    if (guiFont.texture.id != GetFontDefault().texture.id)
    {
        // Unload previous font texture
        UnloadTexture(guiFont.texture);
	if (guiFont.recs != NULL) RAYGUI_FREE(guiFont.recs);
	if (guiFont.glyphs != NULL) RAYGUI_FREE(guiFont.glyphs);
        guiFont.recs = NULL;
        guiFont.glyphs = NULL;

        // Setup default raylib font
        guiFont = GetFontDefault();

        // NOTE: Default raylib font character 95 is a white square
        Rectangle whiteChar = guiFont.recs[95];

        // NOTE: We set up a 1px padding on char rectangle to avoid pixel bleeding on MSAA filtering
        SetShapesTexture(guiFont.texture, RAYGUI_CLITERAL(Rectangle){ whiteChar.x + 1, whiteChar.y + 1, whiteChar.width - 2, whiteChar.height - 2 });
    }

EDIT: I said this is a double free, but it may actually not be a double free, but I am not sure of all the functions prior to this function and what they do, but I am sure that freeing is called on some sort of uninited pointer ( which free, from stdlib, will ignore, I think ). But if you do use a custom allocator, you kind of have to be aware of this. My allocator uses metadata from the pointer. If the pointer is NULL ( which never is in my code, because I never call free before allocating the pointer first ) then I am derefing a NULL pointer to access that metadata. Raygui seems to call free() in places where there hasn't been any prior call to some allocator, which again, is fine for the free() in stdlib.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions