[vlc-commits] playlist: Fix use after free

[Hugo Beauzée-Luyssen]

vlc/vlc-3.0 | branch: master | Hugo Beauzée-Luyssen  | Wed Feb 
14 12:28:17 2018 +0100| [45956905cd229a12d3b686f35acaaf9d8e947488] | committer: 
Hugo Beauzée-Luyssen

playlist: Fix use after free

Nodes shouldn't be inserted in the playlist item array. ChangeToNode is
expected to remove it, but in case the item is created as a node, it
would still lay there, causing potential use after free.

Fix #19701

(cherry picked from commit 70174a131ac045b33a8db417e7c626ec67cb0f53)
Signed-off-by: Hugo Beauzée-Luyssen 

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=45956905cd229a12d3b686f35acaaf9d8e947488
---

 src/playlist/item.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/playlist/item.c b/src/playlist/item.c
index 3f4e782177..c0928fecd6 100644
--- a/src/playlist/item.c
+++ b/src/playlist/item.c
@@ -533,7 +533,8 @@ playlist_item_t * playlist_NodeAddInput( playlist_t 
*p_playlist,
 if( unlikely(p_item == NULL) )
 return NULL;
 
-ARRAY_APPEND(p_playlist->items, p_item);
+if( p_input->i_type != ITEM_TYPE_NODE )
+ARRAY_APPEND(p_playlist->items, p_item);
 
 playlist_NodeInsert( p_parent, p_item, i_pos );
 playlist_SendAddNotify( p_playlist, p_item );

___
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits

[vlc-commits] playlist: Fix use after free

[Hugo Beauzée-Luyssen]

vlc | branch: master | Hugo Beauzée-Luyssen  | Wed Feb 14 
12:28:17 2018 +0100| [70174a131ac045b33a8db417e7c626ec67cb0f53] | committer: 
Hugo Beauzée-Luyssen

playlist: Fix use after free

Nodes shouldn't be inserted in the playlist item array. ChangeToNode is
expected to remove it, but in case the item is created as a node, it
would still lay there, causing potential use after free.

Fix #19701

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=70174a131ac045b33a8db417e7c626ec67cb0f53
---

 src/playlist/item.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/playlist/item.c b/src/playlist/item.c
index 3f4e782177..c0928fecd6 100644
--- a/src/playlist/item.c
+++ b/src/playlist/item.c
@@ -533,7 +533,8 @@ playlist_item_t * playlist_NodeAddInput( playlist_t 
*p_playlist,
 if( unlikely(p_item == NULL) )
 return NULL;
 
-ARRAY_APPEND(p_playlist->items, p_item);
+if( p_input->i_type != ITEM_TYPE_NODE )
+ARRAY_APPEND(p_playlist->items, p_item);
 
 playlist_NodeInsert( p_parent, p_item, i_pos );
 playlist_SendAddNotify( p_playlist, p_item );

___
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits

[vlc-commits] playlist: fix use after free in current array

[Rémi Denis-Courmont]

vlc | branch: master | Rémi Denis-Courmont  | Thu Nov 17 
22:02:08 2016 +0200| [4151f731a9a58a66e2931ae51cdb5939523e7c6b] | committer: 
Rémi Denis-Courmont

playlist: fix use after free in current array

The "current" array is *not* sorted by ID. Binary search cannot work
there. (Maybe this should be a linked-listed instead.)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=4151f731a9a58a66e2931ae51cdb5939523e7c6b
---

 src/playlist/tree.c | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/playlist/tree.c b/src/playlist/tree.c
index 8bc560f..b6bc9c3 100644
--- a/src/playlist/tree.c
+++ b/src/playlist/tree.c
@@ -129,9 +129,11 @@ void playlist_NodeDelete( playlist_t *p_playlist, 
playlist_item_t *p_root,
 set_current_status_item( p_playlist, NULL );
 }
 
-ARRAY_BSEARCH( p_playlist->current,->i_id, int, p_root->i_id, i );
-if( i != -1 )
-ARRAY_REMOVE( p_playlist->current, i );
+for( i = 0; i < p_playlist->current.i_size; i++ )
+if( p_playlist->current.p_elems[i] == p_root )
+ARRAY_REMOVE( p_playlist->current, i );
+for( i = 0; i < p_playlist->current.i_size; i++ )
+assert( p_playlist->current.p_elems[i] != p_root );
 
 PL_DEBUG( "deleting item `%s'", p_root->p_input->psz_name );
 

___
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits