[vlc-commits] sd: avahi: Fix potential use after free

Hugo Beauzée-Luyssen git at videolan.org
Wed Jan 23 18:28:26 CET 2019 

vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Fri Nov 23 14:53:24 2018 +0100| [e969030b6e4c23f851d8449526d0af53bbe6108f] | committer: Hugo Beauzée-Luyssen

sd: avahi: Fix potential use after free

A SD user might want to use the fields of the removed item, which can't
be done if it gets released immediatly after being sent.

(cherry picked from commit d79805c5fef70bdeb45255078f57dd08b9b8fefc)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=e969030b6e4c23f851d8449526d0af53bbe6108f
---

 modules/services_discovery/avahi.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/modules/services_discovery/avahi.c b/modules/services_discovery/avahi.c
index dbfac40809..1457c75a61 100644
--- a/modules/services_discovery/avahi.c
+++ b/modules/services_discovery/avahi.c
@@ -206,7 +206,6 @@ static void resolve_callback(
             vlc_dictionary_insert( &p_sys->services_name_to_input_item,
                 name, p_input );
             services_discovery_AddItem( p_sd, p_input );
-            input_item_Release( p_input );
        }
     }
 
@@ -257,10 +256,17 @@ static void browse_callback(
             vlc_dictionary_remove_value_for_key(
                         &p_sys->services_name_to_input_item,
                         name, NULL, NULL );
+            input_item_Release( p_item );
         }
     }
 }
 
+static void clear_item( void* p_item, void* p_obj )
+{
+    VLC_UNUSED( p_obj );
+    input_item_Release( (input_item_t*)p_item );
+}
+
 /*****************************************************************************
  * Open: initialize and create stuff
  *****************************************************************************/
@@ -318,7 +324,7 @@ error:
     if( p_sys->poll != NULL )
         avahi_threaded_poll_free( p_sys->poll );
 
-    vlc_dictionary_clear( &p_sys->services_name_to_input_item, NULL, NULL );
+    vlc_dictionary_clear( &p_sys->services_name_to_input_item, clear_item, NULL );
     free( p_sys );
 
     return VLC_EGENERIC;
@@ -336,6 +342,6 @@ static void Close( vlc_object_t *p_this )
     avahi_client_free( p_sys->client );
     avahi_threaded_poll_free( p_sys->poll );
 
-    vlc_dictionary_clear( &p_sys->services_name_to_input_item, NULL, NULL );
+    vlc_dictionary_clear( &p_sys->services_name_to_input_item, clear_item, NULL );
     free( p_sys );
 }

More information about the vlc-commits mailing list