[vlc-commits] dvdnav: fix possible use-after-free

Tue Apr 7 11:16:07 CEST 2020

vlc | branch: master | Thomas Guillem <thomas at gllm.fr> | Mon Sep  9 17:44:20 2019 +0200| [9e390be706d4b08c85d9a0e6e66c3be568e43af3] | committer: Hugo Beauzée-Luyssen

dvdnav: fix possible use-after-free

CrashDragon reports an EXCEPTION_ACCESS_VIOLATION_READ in
es_out_Control( p_demux->out, ES_OUT_SET_ES_STATE, tk->es ) from
ESSubtitleUpdate(). A possible sane reason is that tk->es is not set to NULL
when deleted after a DVDNAV_VTS_CHANGE event.

CID c103a5eb-7972-4882-9121-bddaed659bec

This commit doesn't necessarily fixes this CID that could also be triggered by
a random memory corruption in dvdnav.

Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=9e390be706d4b08c85d9a0e6e66c3be568e43af3
---

 modules/access/dvdnav.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/access/dvdnav.c b/modules/access/dvdnav.c
index f082f1021b..c7d0f0728d 100644
--- a/modules/access/dvdnav.c
+++ b/modules/access/dvdnav.c
@@ -993,6 +993,7 @@ static int Demux( demux_t *p_demux )
                         vlc_mutex_unlock( &p_sys->event_lock );
                     }
                     es_out_Del( p_sys->p_tf_out, tk->es );
+                    tk->es = NULL;
                 }
             }
             tk->b_configured = false;

