[vlc-commits] misc/image: ImageRead: use vlc_format_Copy

[Filip Roséen]

vlc | branch: master | Filip Roséen <filip at atch.se> | Sun May 21 20:50:24 2017 +0200| [ce0d3b2c8be8126f272abe1c591d8a300a7ab190] | committer: Rémi Denis-Courmont

misc/image: ImageRead: use vlc_format_Copy

If the decoder allocates data within video_format_t.p_palette, the
previous implementation would result in a use-after-free (among other
issues) due to the ownership of said p_palette not being well-defined.

This fixes the issue by using video_format_Copy, so that the two fmts
do not refer to the same palette.

fixes: #18334

Signed-off-by: Rémi Denis-Courmont <remi at remlab.net>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=ce0d3b2c8be8126f272abe1c591d8a300a7ab190
---

 src/misc/image.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/misc/image.c b/src/misc/image.c
index 7842392dc6..9b4631ecaa 100644
--- a/src/misc/image.c
+++ b/src/misc/image.c
@@ -251,9 +251,15 @@ static picture_t *ImageRead( image_handler_t *p_image, block_t *p_block,
         }
 
         p_pic = p_image->p_filter->pf_video_filter( p_image->p_filter, p_pic );
-        *p_fmt_out = p_image->p_filter->fmt_out.video;
+
+        video_format_Clean( p_fmt_out );
+        video_format_Copy( p_fmt_out, &p_image->p_filter->fmt_out.video );
+    }
+    else
+    {
+        video_format_Clean( p_fmt_out );
+        video_format_Copy( p_fmt_out, &p_image->p_dec->fmt_out.video );
     }
-    else *p_fmt_out = p_image->p_dec->fmt_out.video;
 
     return p_pic;
 }