[vlc-commits] Avoid double free in case of corrupted files

[Denis Charmet]

vlc/vlc-2.0 | branch: master | Denis Charmet <typx at dinauz.org> | Sun Oct 13 23:39:56 2013 +0200| [fcc89438b11c2a6f524a6905143861f819e7b473] | committer: Jean-Baptiste Kempf

Avoid double free in case of corrupted files

(cherry picked from commit 6cca95fb3950f4e2a1cdb2cfa2bc96538dd897a6)
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-2.0.git/?a=commit;h=fcc89438b11c2a6f524a6905143861f819e7b473
---

 modules/demux/mkv/Ebml_parser.cpp      |    5 +++++
 modules/demux/mkv/Ebml_parser.hpp      |    1 +
 modules/demux/mkv/matroska_segment.cpp |    8 +++++++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/modules/demux/mkv/Ebml_parser.cpp b/modules/demux/mkv/Ebml_parser.cpp
index fd8e7c6..c7cec7d 100644
--- a/modules/demux/mkv/Ebml_parser.cpp
+++ b/modules/demux/mkv/Ebml_parser.cpp
@@ -121,6 +121,11 @@ void EbmlParser::Keep( void )
     mb_keep = true;
 }
 
+void EbmlParser::Unkeep()
+{
+    mb_keep = false;
+}
+
 int EbmlParser::GetLevel( void ) const
 {
     return mi_user_level;
diff --git a/modules/demux/mkv/Ebml_parser.hpp b/modules/demux/mkv/Ebml_parser.hpp
index 2eb50ab..9951858 100644
--- a/modules/demux/mkv/Ebml_parser.hpp
+++ b/modules/demux/mkv/Ebml_parser.hpp
@@ -41,6 +41,7 @@ class EbmlParser
     void Reset( demux_t *p_demux );
     EbmlElement *Get( int n_call = 0 );
     void        Keep( void );
+    void        Unkeep( void );
     EbmlElement *UnGet( uint64 i_block_pos, uint64 i_cluster_pos );
 
     int  GetLevel( void ) const;
diff --git a/modules/demux/mkv/matroska_segment.cpp b/modules/demux/mkv/matroska_segment.cpp
index e820cfb..d18ee40 100644
--- a/modules/demux/mkv/matroska_segment.cpp
+++ b/modules/demux/mkv/matroska_segment.cpp
@@ -1502,7 +1502,7 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s
             /* Check blocks validity to protect againts broken files */
             if( BlockFindTrackIndex( NULL, pp_block , pp_simpleblock ) )
             {
-                delete pp_block;
+                ep->Unkeep();
                 pp_simpleblock = NULL;
                 pp_block = NULL;
                 continue;
@@ -1625,6 +1625,9 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s
                     {
                         msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
                         ep->Up();
+                        ep->Unkeep();
+                        pp_simpleblock = NULL;
+                        pp_block = NULL;
                         break;
                     }
                     if( MKV_IS_ID( el, KaxBlock ) )
@@ -1678,6 +1681,9 @@ int matroska_segment_c::BlockGet( KaxBlock * & pp_block, KaxSimpleBlock * & pp_s
         {
             msg_Err( &sys.demuxer, "Error while reading %s... upping level", typeid(*el).name());
             ep->Up();
+            ep->Unkeep();
+            pp_simpleblock = NULL;
+            pp_block = NULL;
         }
     }
 }