misc/image: ImageRead: use vlc_format_Copy

If the decoder allocates data within video_format_t.p_palette, the previous implementation would result in a use-after-free (among other issues) due to the ownership of said p_palette not being well-defined. This fixes the issue by using video_format_Copy, so that the two fmts do not refer to the same palette. fixes: #18334 Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>

misc/image: ImageRead: use vlc_format_Copy
If the decoder allocates data within video_format_t.p_palette, the previous implementation would result in a use-after-free (among other issues) due to the ownership of said p_palette not being well-defined. This fixes the issue by using video_format_Copy, so that the two fmts do not refer to the same palette. fixes: #18334 Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
ce0d3b2c · Filip Roséen · Rémi Denis-Courmont · 911f67ec · ce0d3b2c
Commit ce0d3b2c authored May 21, 2017 by Filip Roséen Committed by Rémi Denis-Courmont May 21, 2017
--- a/src/misc/image.c
+++ b/src/misc/image.c
@@ -251,9 +251,15 @@ static picture_t *ImageRead( image_handler_t *p_image, block_t *p_block,
        }

        p_pic = p_image->p_filter->pf_video_filter( p_image->p_filter, p_pic );
-        *p_fmt_out = p_image->p_filter->fmt_out.video;
+
+        video_format_Clean( p_fmt_out );
+        video_format_Copy( p_fmt_out, &p_image->p_filter->fmt_out.video );
+    }
+    else
+    {
+        video_format_Clean( p_fmt_out );
+        video_format_Copy( p_fmt_out, &p_image->p_dec->fmt_out.video );
    }
-    else *p_fmt_out = p_image->p_dec->fmt_out.video;

    return p_pic;
 }