[vlc-devel] [PATCH] demux/subtitle: TextLoad + TextUnload: prevent double-free
Filip Roséen
filip at atch.se
Thu Mar 2 17:40:23 CET 2017
There is a relationshop between the value of txt->i_line_count and
txt->line stating that the value of txt->line is undefined if
txt->i_line_count is zero.
As the above might seem simple enough, it leads to a case double-free
if one does not pay attention and check the value of txt->i_line_count
prior to working with txt->line; as in TextUnload.
These changes make sure that we do not read from txt->line unless we
know that it is safe.
---
modules/demux/subtitle.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/modules/demux/subtitle.c b/modules/demux/subtitle.c
index ff3a64d889..7e7d6f5ad9 100644
--- a/modules/demux/subtitle.c
+++ b/modules/demux/subtitle.c
@@ -841,11 +841,12 @@ static int TextLoad( text_t *txt, stream_t *s )
}
static void TextUnload( text_t *txt )
{
- for( size_t i = 0; i < txt->i_line_count; i++ )
+ if( txt->i_line_count )
{
- free( txt->line[i] );
+ for( size_t i = 0; i < txt->i_line_count; i++ )
+ free( txt->line[i] );
+ free( txt->line );
}
- free( txt->line );
txt->i_line = 0;
txt->i_line_count = 0;
}
--
2.12.0
More information about the vlc-devel
mailing list