<div dir="ltr"><div>This is in file "modules/gui/qt4/components/extended_panels.cpp<br><br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">static char *ChangeFiltersString( struct intf_thread_t *p_intf, const char *psz_filter_type, const char *psz_name, bool b_add )<br>
{<br> char *psz_parser, *psz_string;<br> psz_string = config_GetPsz( p_intf, psz_filter_type );<br><br> <b> if( !psz_string ) psz_string = strdup( "" );<br><br> psz_parser = strstr( psz_string, psz_name );</b><br>
.....<br></blockquote><div><br></div><b> </b>psz_name gets the value "transform" when you use rotation from the options.<br></div>I used the same code to in the hotkey.<br><div><div class="im"><br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
> +<br>
<b>> + if ( !psz_string ) psz_string = strdup( "" );<br>
> + psz_parser = strstr( psz_string, "transform" ); </b></blockquote><div> </div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
This will not work if the parameters of another video filter contain the substring "transform", which is in fact totally possible, since some parameters are arbitary strings.</blockquote><div> <br></div><div>So is this a problem?<br>
<br><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">> +<br>
> + if ( !psz_parser ){<br>
> + psz_parser = psz_string;<br>
> + asprintf( &psz_string, ( *psz_string ) ? "%s:%s" : "%s%s",<br>
> psz_string, "transform" );<br>
> + }<br>
> +<br>
> + switch( tr_mode ){<br>
> + case 0: transform_type = "90"; break;<br>
> + case 1: transform_type = "180"; break;<br>
> + case 2: transform_type = "270"; break;<br>
> + case 3: transform_type = "hflip"; break;<br>
> + case 4: transform_type = "vflip"; break;<br>
> + case 5: transform_type = "transpose"; break;<br>
> + case 6: transform_type = "antitranspose"; break;<br>
> + case 7: // reset psz_string<br>
> + if( *( psz_parser + strlen( "transform" ) ) == ':' )<br>
> + memmove( psz_parser, psz_parser + strlen( "transform" ) + 1,<br>
> + strlen( psz_parser + strlen( "transform" ) + 1 ) + 1 );<br>
> + else *psz_parser = '\0';<br>
<br>
I am not sure I follow the logic, but this looks like a heap buffer<br>
overflow to me.<br></blockquote><br></div><div>Can you be more specific please? Do you mean that the change of "transform_type" variable causes an issue? I tested it but i didn't get an error.<br><br></div>
<div>I have already asked before if there is a way to get <transform-type> value, if the program starts via command line. I couldn't find a solution on this. Does someone have any suggestion on this?<br><br>Thanks!<br>
</div></div><div> </div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-01-21 Stefanos Orovas <span dir="ltr"><<a href="mailto:stef.orovas@gmail.com" target="_blank">stef.orovas@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="im"><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote">
<div>> diff --git a/modules/control/hotkeys.c b/modules/control/hotkeys.c<br>
> index ab68340..51ad890 100644<br>
> --- a/modules/control/hotkeys.c<br>
> +++ b/modules/control/hotkeys.c<br>
> @@ -836,7 +836,50 @@ static int PutAction( intf_thread_t *p_intf, int<br>
> i_action )<br>
> if( p_vout )<br>
> var_DecInteger( p_vout, "crop-right" );<br>
> break;<br>
> -<br>
> + case ACTIONID_TRANSFORM:<br>
> + if ( p_vout )<br>
> + {<br>
> + char *psz_parser, *transform_type = "";<br>
> + char *psz_string = config_GetPsz( p_vout, "video-filter" );<br>
<br>
</div>I believe that won't work properly if video-filter was passed via the<br>
command line.</blockquote><div><br></div></div><div>Yes, you are right. I will use var_Get() to get the video - filters. The problem is that when the filters are passed via command line i can't get the <transform-type> value using var_*. <br>
<br></div><div>Any suggestions here? <br></div><div> </div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">2014/1/19 Rémi Denis-Courmont <span dir="ltr"><<a href="mailto:remi@remlab.net" target="_blank">remi@remlab.net</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sat, 18 Jan 2014 18:22:04 +0200, Stefanos Orovas<br>
<<a href="mailto:stef.orovas@gmail.com" target="_blank">stef.orovas@gmail.com</a>><br>
wrote:<br>
<div>> diff --git a/modules/control/hotkeys.c b/modules/control/hotkeys.c<br>
> index ab68340..51ad890 100644<br>
> --- a/modules/control/hotkeys.c<br>
> +++ b/modules/control/hotkeys.c<br>
> @@ -836,7 +836,50 @@ static int PutAction( intf_thread_t *p_intf, int<br>
> i_action )<br>
> if( p_vout )<br>
> var_DecInteger( p_vout, "crop-right" );<br>
> break;<br>
> -<br>
> + case ACTIONID_TRANSFORM:<br>
> + if ( p_vout )<br>
> + {<br>
> + char *psz_parser, *transform_type = "";<br>
> + char *psz_string = config_GetPsz( p_vout, "video-filter" );<br>
<br>
</div>I believe that won't work properly if video-filter was passed via the<br>
command line.<br>
<div><br>
> + static int tr_mode = 0;<br>
<br>
</div>NEVER use read/write static data (unless you REALLY know what you are<br>
doing).<br>
<div><br>
> +<br>
> + if ( !psz_string ) psz_string = strdup( "" );<br>
> + psz_parser = strstr( psz_string, "transform" );<br>
<br>
</div>This will not work if the parameters of another video filter contain the<br>
substring "transform", which is in fact totally possible, since some<br>
parameters are arbitary strings.<br>
<div><br>
> +<br>
> + if ( !psz_parser ){<br>
> + psz_parser = psz_string;<br>
> + asprintf( &psz_string, ( *psz_string ) ? "%s:%s" : "%s%s",<br>
> psz_string, "transform" );<br>
> + }<br>
> +<br>
> + switch( tr_mode ){<br>
> + case 0: transform_type = "90"; break;<br>
> + case 1: transform_type = "180"; break;<br>
> + case 2: transform_type = "270"; break;<br>
> + case 3: transform_type = "hflip"; break;<br>
> + case 4: transform_type = "vflip"; break;<br>
> + case 5: transform_type = "transpose"; break;<br>
> + case 6: transform_type = "antitranspose"; break;<br>
> + case 7: // reset psz_string<br>
> + if( *( psz_parser + strlen( "transform" ) ) == ':' )<br>
> + memmove( psz_parser, psz_parser + strlen( "transform" ) + 1,<br>
> + strlen( psz_parser + strlen( "transform" ) + 1 ) + 1 );<br>
> + else *psz_parser = '\0';<br>
<br>
</div>I am not sure I follow the logic, but this looks like a heap buffer<br>
overflow to me.<br>
<div><br>
> +<br>
> + /* Remove trailing : : */<br>
> + size_t i_len = strlen( psz_string );<br>
> + if( i_len > 0 && *( psz_string + i_len - 1 ) == ':' )<br>
> + {<br>
> + *( psz_string + i_len - 1 ) = '\0';<br>
> + }<br>
> + break;<br>
> + }<br>
> + tr_mode ++; tr_mode = tr_mode % 8;<br>
> +<br>
> + config_PutPsz( p_intf, "transform-type", transform_type );<br>
> + config_PutPsz( p_intf, "video-filter", psz_string );<br>
<br>
</div>As pointed out previously, this would clobber the user configuration.<br>
Please stick to var_*().<br>
<div><br>
> + var_SetString( p_vout, "video-filter", psz_string );<br>
<br>
</div>Variables go out of scope. Memory leaks...<br>
<div><div><br>
> + }<br>
> + break;<br>
> case ACTIONID_TOGGLE_AUTOSCALE:<br>
> if( p_vout )<br>
> {<br>
</div></div><span><font color="#888888">--<br>
Rémi Denis-Courmont<br>
Sent from my collocated server<br>
_______________________________________________<br>
vlc-devel mailing list<br>
To unsubscribe or modify your subscription options:<br>
<a href="https://mailman.videolan.org/listinfo/vlc-devel" target="_blank">https://mailman.videolan.org/listinfo/vlc-devel</a><br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>