vlc | branch: master | Filip Roséen <fi...@atch.se> | Mon Feb 20 15:00:57 2017 +0100| [60431f662e65e291b81ff022f364e7dbfde6a291] | committer: Jean-Baptiste Kempf
codec/subsusf: prevent heap-use-after-free / leak The memcpy used will of course make p_ssa_style and p_default_style refer to the same text_style_t, resulting in a use-after-free during clean-up (as well as a leak due to the original p_ssa_style->p_style being lost). Signed-off-by: Jean-Baptiste Kempf <j...@videolan.org> > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=60431f662e65e291b81ff022f364e7dbfde6a291 --- modules/codec/subsusf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/codec/subsusf.c b/modules/codec/subsusf.c index 8360db6..d8a9519 100644 --- a/modules/codec/subsusf.c +++ b/modules/codec/subsusf.c @@ -630,12 +630,17 @@ static void ParseUSFHeaderTags( decoder_t *p_dec, xml_reader_t *p_xml_reader ) if( !strcasecmp( p_sys->pp_ssa_styles[i]->psz_stylename, "Default" ) ) { ssa_style_t *p_default_style = p_sys->pp_ssa_styles[i]; + text_style_t *p_orig_text_style = p_ssa_style->p_style; memcpy( p_ssa_style, p_default_style, sizeof( ssa_style_t ) ); + + // reset data-members that are not to be overwritten + p_ssa_style->p_style = p_orig_text_style; + p_ssa_style->psz_stylename = NULL; + //FIXME: Make font_style a pointer. Actually we double copy some data here, // we use text_style_Copy to avoid copying psz_fontname, though . text_style_Copy( p_ssa_style->p_style, p_default_style->p_style ); - p_ssa_style->psz_stylename = NULL; } } _______________________________________________ vlc-commits mailing list vlc-commits@videolan.org https://mailman.videolan.org/listinfo/vlc-commits
