[libdvdnav-devel] [PATCH] dvdnav: fix invalid free in dvdnav_free_dup
John Stebbins
jstebbins at jetheaddev.com
Fri Aug 22 21:09:21 CEST 2014
When path was changed from char[] to char*, a free was added to
dvdnav_free_dup, but the string was not copied in dvdnav_dup resulting
in a double free.
---
src/dvdnav.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/dvdnav.c b/src/dvdnav.c
index 6f32550..a5fac25 100644
--- a/src/dvdnav.c
+++ b/src/dvdnav.c
@@ -74,27 +74,40 @@ dvdnav_status_t dvdnav_dup(dvdnav_t **dest, dvdnav_t *src) {
(*dest) = NULL;
this = (dvdnav_t*)malloc(sizeof(dvdnav_t));
- if(!this)
+ if (!this)
return DVDNAV_STATUS_ERR;
memcpy(this, src, sizeof(dvdnav_t));
this->file = NULL;
+ this->vm = NULL;
+ this->path = NULL;
+ this->cache = NULL;
pthread_mutex_init(&this->vm_lock, NULL);
this->vm = vm_new_copy(src->vm);
- if(!this->vm) {
- printerr("Error initialising the DVD VM.");
- pthread_mutex_destroy(&this->vm_lock);
- free(this);
- return DVDNAV_STATUS_ERR;
- }
+ if (!this->vm)
+ goto fail;
+
+ this->path = strdup(src->path);
+ if (!this->path)
+ goto fail;
/* Start the read-ahead cache. */
this->cache = dvdnav_read_cache_new(this);
+ if (!this->cache)
+ goto fail;
(*dest) = this;
return DVDNAV_STATUS_OK;
+
+fail:
+ printerr("Error initialising the DVD VM.");
+ pthread_mutex_destroy(&this->vm_lock);
+ vm_free_vm(this->vm);
+ free(this->path);
+ free(this);
+ return DVDNAV_STATUS_ERR;
}
dvdnav_status_t dvdnav_free_dup(dvdnav_t *this) {
--
1.9.3
More information about the libdvdnav-devel
mailing list