[vlc-devel] [PATCH v2] demux: ts: fix null dereference in close callback
Akinobu Mita
akinobu.mita at gmail.com
Sun Aug 23 04:33:31 CEST 2020
The close callback for MPEG Transport Stream demuxer module sets the
b25stream's input stream to NULL and deletes b25stream by calling
vlc_stream_Delete(). (See /* don't chain kill demuxer's source */
comment in modules/demux/mpeg/ts.c)
That causes a NULL dereference in StreamDelete() since commit
daeddd9bc724da5aa3c364c5b382da963f92b5b8 ("stream_filter: remove
tautology test").
Instead of unlinking the input stream and deleting b25stream in
close callback, let it chain kill when the demuxer is deleted.
---
modules/demux/mpeg/ts.c | 6 ------
modules/demux/mpeg/ts_psi.c | 1 +
2 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/modules/demux/mpeg/ts.c b/modules/demux/mpeg/ts.c
index bee529720d..57cfdc7309 100644
--- a/modules/demux/mpeg/ts.c
+++ b/modules/demux/mpeg/ts.c
@@ -576,12 +576,6 @@ static void Close( vlc_object_t *p_this )
arib_instance_destroy( p_sys->arib.p_instance );
#endif
- if ( p_sys->arib.b25stream )
- {
- p_sys->arib.b25stream->s = NULL; /* don't chain kill demuxer's source */
- vlc_stream_Delete( p_sys->arib.b25stream );
- }
-
/* Release all non default pids */
ts_pid_list_Release( p_demux, &p_sys->pids );
diff --git a/modules/demux/mpeg/ts_psi.c b/modules/demux/mpeg/ts_psi.c
index dbdec34529..74ffb8b8fb 100644
--- a/modules/demux/mpeg/ts_psi.c
+++ b/modules/demux/mpeg/ts_psi.c
@@ -2074,6 +2074,7 @@ static void PMTCallBack( void *data, dvbpsi_pmt_t *p_dvbpsipmt )
{
p_sys->arib.b25stream = vlc_stream_FilterNew( p_demux->s, "aribcam" );
p_sys->stream = ( p_sys->arib.b25stream ) ? p_sys->arib.b25stream : p_demux->s;
+ p_demux->s = p_sys->stream;
}
}
}
--
2.25.1
More information about the vlc-devel
mailing list