[vlc-commits] dvdnav: fix possible use-after-free

Tue Apr 7 11:19:05 CEST 2020

vlc/vlc-3.0 | branch: master | Thomas Guillem <thomas at gllm.fr> | Mon Sep  9 17:44:20 2019 +0200| [6cb33189fb2911cf2f1be36df594bf4634aefb46] | committer: Hugo Beauzée-Luyssen

dvdnav: fix possible use-after-free

CrashDragon reports an EXCEPTION_ACCESS_VIOLATION_READ in
es_out_Control( p_demux->out, ES_OUT_SET_ES_STATE, tk->es ) from
ESSubtitleUpdate(). A possible sane reason is that tk->es is not set to NULL
when deleted after a DVDNAV_VTS_CHANGE event.

CID c103a5eb-7972-4882-9121-bddaed659bec

This commit doesn't necessarily fixes this CID that could also be triggered by
a random memory corruption in dvdnav.

Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
(cherry picked from commit 9e390be706d4b08c85d9a0e6e66c3be568e43af3)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=6cb33189fb2911cf2f1be36df594bf4634aefb46
---

 modules/access/dvdnav.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/access/dvdnav.c b/modules/access/dvdnav.c
index 61a9157111..4c19de047e 100644
--- a/modules/access/dvdnav.c
+++ b/modules/access/dvdnav.c
@@ -977,7 +977,11 @@ static int Demux( demux_t *p_demux )
             if( tk->b_configured )
             {
                 es_format_Clean( &tk->fmt );
-                if( tk->es ) es_out_Del( p_demux->out, tk->es );
+                if( tk->es ) 
+                {
+                    es_out_Del( p_demux->out, tk->es );
+                    tk->es = NULL;
+                }
             }
             tk->b_configured = false;
         }

