[vlc-commits] DCP: fix heap-use-after-free on xml_ReaderNextNode error

Thomas Guillem git at videolan.org
Thu Dec 21 10:59:24 CET 2017 

vlc | branch: master | Thomas Guillem <thomas at gllm.fr> | Thu Dec 21 10:57:01 2017 +0100| [1b1de3b7f76dae70bba70c8491e68e128cdf06d2] | committer: Thomas Guillem

DCP: fix heap-use-after-free on xml_ReaderNextNode error

==9090==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000173170 at pc 0x7f8a86e19063 bp 0x7f8a7bbf9230 sp 0x7f8a7bbf89e0
READ of size 2 at 0x602000173170 thread T10
[000061200002c080] dbus interface debug: Getting All properties
[000061200002c080] dbus interface debug: Getting All properties
    #0 0x7f8a86e19062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
    #1 0x7f8a84dda3b6 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x1203b6)
    #2 0x7f8a4d1bfef1 in XmlFile::ReadNextNode(demux_t*, xml_reader_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ../../modules/access/dcp/dcpparser.cpp:750
    #3 0x7f8a4d1c0d82 in PKL::Parse() ../../modules/access/dcp/dcpparser.cpp:864
    #4 0x7f8a4d1bbe32 in AssetMap::Parse() ../../modules/access/dcp/dcpparser.cpp:291
    #5 0x7f8a4d1b2f7c in parseXML(demux_t*) ../../modules/access/dcp/dcp.cpp:1011
    #6 0x7f8a4d1b2b12 in dcpInit(demux_t*) ../../modules/access/dcp/dcp.cpp:942
    #7 0x7f8a4d1ad3c2 in Open ../../modules/access/dcp/dcp.cpp:326
    #8 0x7f8a8653b97d in generic_start ../../src/modules/modules.c:356
    #9 0x7f8a8653acd4 in module_load ../../src/modules/modules.c:183
    #10 0x7f8a8653b328 in vlc_module_load ../../src/modules/modules.c:279
    #11 0x7f8a8653bace in module_need ../../src/modules/modules.c:371
    #12 0x7f8a8658c8c5 in demux_NewAdvanced ../../src/input/demux.c:270
    #13 0x7f8a865c84c7 in InputDemuxNew ../../src/input/input.c:2403
    #14 0x7f8a865c8e89 in InputSourceNew ../../src/input/input.c:2555
    #15 0x7f8a865c15bf in Init ../../src/input/input.c:1303
    #16 0x7f8a865bc641 in Run ../../src/input/input.c:498
    #17 0x7f8a857ee493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #18 0x7f8a8532cafe in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8afe)

0x602000173170 is located 0 bytes inside of 12-byte region [0x602000173170,0x60200017317c)
freed by thread T10 here:
    #0 0x7f8a86e9ea10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7f8a78a29181 in ReaderNextNode ../../modules/misc/xml/libxml.c:217
    #2 0x7f8a4d1ba838 in xml_ReaderNextNode ../../include/vlc_xml.h:87
    #3 0x7f8a4d1bfec2 in XmlFile::ReadNextNode(demux_t*, xml_reader_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ../../modules/access/dcp/dcpparser.cpp:744
    #4 0x7f8a4d1c0d82 in PKL::Parse() ../../modules/access/dcp/dcpparser.cpp:864
    #5 0x7f8a4d1bbe32 in AssetMap::Parse() ../../modules/access/dcp/dcpparser.cpp:291
    #6 0x7f8a4d1b2f7c in parseXML(demux_t*) ../../modules/access/dcp/dcp.cpp:1011
    #7 0x7f8a4d1b2b12 in dcpInit(demux_t*) ../../modules/access/dcp/dcp.cpp:942
    #8 0x7f8a4d1ad3c2 in Open ../../modules/access/dcp/dcp.cpp:326
    #9 0x7f8a8653b97d in generic_start ../../src/modules/modules.c:356
    #10 0x7f8a8653acd4 in module_load ../../src/modules/modules.c:183
    #11 0x7f8a8653b328 in vlc_module_load ../../src/modules/modules.c:279
    #12 0x7f8a8653bace in module_need ../../src/modules/modules.c:371
    #13 0x7f8a8658c8c5 in demux_NewAdvanced ../../src/input/demux.c:270
    #14 0x7f8a865c84c7 in InputDemuxNew ../../src/input/input.c:2403
    #15 0x7f8a865c8e89 in InputSourceNew ../../src/input/input.c:2555
    #16 0x7f8a865c15bf in Init ../../src/input/input.c:1303
    #17 0x7f8a865bc641 in Run ../../src/input/input.c:498
    #18 0x7f8a857ee493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=1b1de3b7f76dae70bba70c8491e68e128cdf06d2
---

 modules/access/dcp/dcpparser.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/access/dcp/dcpparser.cpp b/modules/access/dcp/dcpparser.cpp
index 92a26f1a72..7cb40fa3c8 100755
--- a/modules/access/dcp/dcpparser.cpp
+++ b/modules/access/dcp/dcpparser.cpp
@@ -743,6 +743,9 @@ int XmlFile::ReadNextNode( demux_t *p_demux, xml_reader_t *p_xmlReader, string&
     const char * c_node;
     int i = xml_ReaderNextNode( p_xmlReader, &c_node );
 
+    if( i <= XML_READER_NONE )
+        return i;
+
     /* remove namespaces, if there are any */
     string s_node = c_node;
     size_t ui_pos = s_node.find( ":" );

More information about the vlc-commits mailing list