[libdvdnav-devel] dvdnav: fix invalid free in dvdnav_free_dup

John Stebbins stebbins at jetheaddev.com
Tue Aug 26 16:32:36 CEST 2014 

Hi,

Any chance you could do a bugfix release soonish?  This commit I made Friday fixes a problem that consistently crashes
HandBrake.  Would be nice to get that out there so that distributions can use an unpatched release with HandBrake.

On 08/25/2014 07:57 AM, John Stebbins wrote:
> libdvdnav | branch: master | John Stebbins <jstebbins at jetheaddev.com> | Fri Aug 22 12:06:41 2014 -0700| [93f9aa5947321f90d19f74a60eeaceff8fd09f71] | committer: John Stebbins
>
> dvdnav: fix invalid free in dvdnav_free_dup
>
> When path was changed from char[] to char*, a free was added to
> dvdnav_free_dup, but the string was not copied in dvdnav_dup resulting
> in a double free.
>
>> http://git.videolan.org/gitweb.cgi/libdvdnav.git/?a=commit;h=93f9aa5947321f90d19f74a60eeaceff8fd09f71
> ---
>
>  src/dvdnav.c |   27 ++++++++++++++++++++-------
>  1 file changed, 20 insertions(+), 7 deletions(-)
>
> diff --git a/src/dvdnav.c b/src/dvdnav.c
> index 6f32550..a5fac25 100644
> --- a/src/dvdnav.c
> +++ b/src/dvdnav.c
> @@ -74,27 +74,40 @@ dvdnav_status_t dvdnav_dup(dvdnav_t **dest, dvdnav_t *src) {
>  
>    (*dest) = NULL;
>    this = (dvdnav_t*)malloc(sizeof(dvdnav_t));
> -  if(!this)
> +  if (!this)
>      return DVDNAV_STATUS_ERR;
>  
>    memcpy(this, src, sizeof(dvdnav_t));
>    this->file = NULL;
> +  this->vm = NULL;
> +  this->path = NULL;
> +  this->cache = NULL;
>  
>    pthread_mutex_init(&this->vm_lock, NULL);
>  
>    this->vm = vm_new_copy(src->vm);
> -  if(!this->vm) {
> -    printerr("Error initialising the DVD VM.");
> -    pthread_mutex_destroy(&this->vm_lock);
> -    free(this);
> -    return DVDNAV_STATUS_ERR;
> -  }
> +  if (!this->vm)
> +    goto fail;
> +
> +  this->path = strdup(src->path);
> +  if (!this->path)
> +    goto fail;
>  
>    /* Start the read-ahead cache. */
>    this->cache = dvdnav_read_cache_new(this);
> +  if (!this->cache)
> +    goto fail;
>  
>    (*dest) = this;
>    return DVDNAV_STATUS_OK;
> +
> +fail:
> +    printerr("Error initialising the DVD VM.");
> +    pthread_mutex_destroy(&this->vm_lock);
> +    vm_free_vm(this->vm);
> +    free(this->path);
> +    free(this);
> +    return DVDNAV_STATUS_ERR;
>  }
>  
>  dvdnav_status_t dvdnav_free_dup(dvdnav_t *this) {
>
> _______________________________________________
> libdvdnav-devel mailing list
> libdvdnav-devel at videolan.org
> https://mailman.videolan.org/listinfo/libdvdnav-devel

-- 
John      GnuPG fingerprint: D0EC B3DB C372 D1F1 0B01  83F0 49F1 D7B2 60D4 D0F7


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.videolan.org/pipermail/libdvdnav-devel/attachments/20140826/45eb941d/attachment.sig>

More information about the libdvdnav-devel mailing list