[vlc-commits] demux/subtitle: TextLoad + TextUnload: prevent double-free

[Filip Roséen]

vlc | branch: master | Filip Roséen <filip at atch.se> | Thu Mar  2 17:40:23 2017 +0100| [ba4699385f30536c6531273c5fb1812025cda615] | committer: Jean-Baptiste Kempf

demux/subtitle: TextLoad + TextUnload: prevent double-free

There is a relationshop between the value of txt->i_line_count and
txt->line stating that the value of txt->line is undefined if
txt->i_line_count is zero.

As the above might seem simple enough, it leads to a case double-free
if one does not pay attention and check the value of txt->i_line_count
prior to working with txt->line; as in TextUnload.

These changes make sure that we do not read from txt->line unless we
know that it is safe.

Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ba4699385f30536c6531273c5fb1812025cda615
---

 modules/demux/subtitle.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/demux/subtitle.c b/modules/demux/subtitle.c
index ff3a64d..7e7d6f5 100644
--- a/modules/demux/subtitle.c
+++ b/modules/demux/subtitle.c
@@ -841,11 +841,12 @@ static int TextLoad( text_t *txt, stream_t *s )
 }
 static void TextUnload( text_t *txt )
 {
-    for( size_t i = 0; i < txt->i_line_count; i++ )
+    if( txt->i_line_count )
     {
-        free( txt->line[i] );
+        for( size_t i = 0; i < txt->i_line_count; i++ )
+            free( txt->line[i] );
+        free( txt->line );
     }
-    free( txt->line );
     txt->i_line       = 0;
     txt->i_line_count = 0;
 }