[vlc-commits] commit: config_PutPsz: fix potential use-after-free ( Rémi Denis-Courmont )
git at videolan.org
git at videolan.org
Sat May 29 17:29:36 CEST 2010
vlc/vlc-1.1 | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Sat May 29 18:25:36 2010 +0300| [05f928416a9f334d79de4c2acf65c551d8737a36] | committer: Rémi Denis-Courmont
config_PutPsz: fix potential use-after-free
The new config value is duplicated, and the copy is stored to the
configuration. After the configuration R/W lock is released, we have no
warranty that another thread does not change the same configuration
item, and free our own copy. Admittedly, this is very unlikely.
Instead, we can simply pass the original string from the caller to the
callback - that one must remain valid through the config_PutPsz()
function call by definition.
(cherry picked from commit 6b35f6ff09419006d8af86cfb507fc644669a118)
> http://git.videolan.org/gitweb.cgi/vlc/vlc-1.1.git/?a=commit;h=05f928416a9f334d79de4c2acf65c551d8737a36
---
src/config/core.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/config/core.c b/src/config/core.c
index 8f4cdc7..e54df62 100644
--- a/src/config/core.c
+++ b/src/config/core.c
@@ -253,7 +253,7 @@ void config_PutPsz( vlc_object_t *p_this,
const char *psz_name, const char *psz_value )
{
module_config_t *p_config;
- vlc_value_t oldval, val;
+ vlc_value_t oldval;
p_config = config_FindConfig( p_this, psz_name );
@@ -282,13 +282,13 @@ void config_PutPsz( vlc_object_t *p_this,
p_config->value.psz = NULL;
p_config->b_dirty = true;
-
- val.psz_string = (char *)p_config->value.psz;
-
vlc_rwlock_unlock (&config_lock);
if( p_config->pf_callback )
{
+ vlc_value_t val;
+
+ val.psz_string = (char *)psz_value;
p_config->pf_callback( p_this, psz_name, oldval, val,
p_config->p_callback_data );
}
More information about the vlc-commits
mailing list