Commit 6cc343a2 authored by Thomas Guillem's avatar Thomas Guillem Committed by Jean-Baptiste Kempf

DCP: fix heap-use-after-free on xml_ReaderNextNode error

==9090==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000173170 at pc 0x7f8a86e19063 bp 0x7f8a7bbf9230 sp 0x7f8a7bbf89e0
READ of size 2 at 0x602000173170 thread T10
[000061200002c080] dbus interface debug: Getting All properties
[000061200002c080] dbus interface debug: Getting All properties
    #0 0x7f8a86e19062  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x3c062)
    #1 0x7f8a84dda3b6 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x1203b6)
    #2 0x7f8a4d1bfef1 in XmlFile::ReadNextNode(demux_t*, xml_reader_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ../../modules/access/dcp/dcpparser.cpp:750
    #3 0x7f8a4d1c0d82 in PKL::Parse() ../../modules/access/dcp/dcpparser.cpp:864
    #4 0x7f8a4d1bbe32 in AssetMap::Parse() ../../modules/access/dcp/dcpparser.cpp:291
    #5 0x7f8a4d1b2f7c in parseXML(demux_t*) ../../modules/access/dcp/dcp.cpp:1011
    #6 0x7f8a4d1b2b12 in dcpInit(demux_t*) ../../modules/access/dcp/dcp.cpp:942
    #7 0x7f8a4d1ad3c2 in Open ../../modules/access/dcp/dcp.cpp:326
    #8 0x7f8a8653b97d in generic_start ../../src/modules/modules.c:356
    #9 0x7f8a8653acd4 in module_load ../../src/modules/modules.c:183
    #10 0x7f8a8653b328 in vlc_module_load ../../src/modules/modules.c:279
    #11 0x7f8a8653bace in module_need ../../src/modules/modules.c:371
    #12 0x7f8a8658c8c5 in demux_NewAdvanced ../../src/input/demux.c:270
    #13 0x7f8a865c84c7 in InputDemuxNew ../../src/input/input.c:2403
    #14 0x7f8a865c8e89 in InputSourceNew ../../src/input/input.c:2555
    #15 0x7f8a865c15bf in Init ../../src/input/input.c:1303
    #16 0x7f8a865bc641 in Run ../../src/input/input.c:498
    #17 0x7f8a857ee493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
    #18 0x7f8a8532cafe in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8afe)

0x602000173170 is located 0 bytes inside of 12-byte region [0x602000173170,0x60200017317c)
freed by thread T10 here:
    #0 0x7f8a86e9ea10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7f8a78a29181 in ReaderNextNode ../../modules/misc/xml/libxml.c:217
    #2 0x7f8a4d1ba838 in xml_ReaderNextNode ../../include/vlc_xml.h:87
    #3 0x7f8a4d1bfec2 in XmlFile::ReadNextNode(demux_t*, xml_reader_t*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) ../../modules/access/dcp/dcpparser.cpp:744
    #4 0x7f8a4d1c0d82 in PKL::Parse() ../../modules/access/dcp/dcpparser.cpp:864
    #5 0x7f8a4d1bbe32 in AssetMap::Parse() ../../modules/access/dcp/dcpparser.cpp:291
    #6 0x7f8a4d1b2f7c in parseXML(demux_t*) ../../modules/access/dcp/dcp.cpp:1011
    #7 0x7f8a4d1b2b12 in dcpInit(demux_t*) ../../modules/access/dcp/dcp.cpp:942
    #8 0x7f8a4d1ad3c2 in Open ../../modules/access/dcp/dcp.cpp:326
    #9 0x7f8a8653b97d in generic_start ../../src/modules/modules.c:356
    #10 0x7f8a8653acd4 in module_load ../../src/modules/modules.c:183
    #11 0x7f8a8653b328 in vlc_module_load ../../src/modules/modules.c:279
    #12 0x7f8a8653bace in module_need ../../src/modules/modules.c:371
    #13 0x7f8a8658c8c5 in demux_NewAdvanced ../../src/input/demux.c:270
    #14 0x7f8a865c84c7 in InputDemuxNew ../../src/input/input.c:2403
    #15 0x7f8a865c8e89 in InputSourceNew ../../src/input/input.c:2555
    #16 0x7f8a865c15bf in Init ../../src/input/input.c:1303
    #17 0x7f8a865bc641 in Run ../../src/input/input.c:498
    #18 0x7f8a857ee493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

(cherry picked from commit 1b1de3b7)
Signed-off-by: Jean-Baptiste Kempf's avatarJean-Baptiste Kempf <jb@videolan.org>
parent 9ab3615d
......@@ -743,6 +743,9 @@ int XmlFile::ReadNextNode( demux_t *p_demux, xml_reader_t *p_xmlReader, string&
const char * c_node;
int i = xml_ReaderNextNode( p_xmlReader, &c_node );
if( i <= XML_READER_NONE )
return i;
/* remove namespaces, if there are any */
string s_node = c_node;
size_t ui_pos = s_node.find( ":" );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment