[MPlayer-dev-eng] Re: [PATCH] Avoid freeing of unallocated memory in tv.c

Sun Jan 7 20:44:57 CET 2007

Vladimir Voroshilov wrote:
> 2007/1/2, Vladimir Voroshilov <voroshil at gmail.com>:
> 
>>
>> Hi, All
>> I have found small bug in tv.c.
>> If tvi_init_* function return NULL (e.g. fails to initialize driver)
>> demuxer->priv  will not point to allocated memory, but demux_close_tv 
>> does not
>> check this case and MPLayer will crash.
>> Attached trivial patch fixes this.
> 
> Did anybody look on this patch?
> 
> I have found another similar bug in tv.c: if start method of tvi_*
> driver return 0 (meaning start failure) this cause call to driver's
> uninit function twice. The result is crash of MPayer.
> 
> Attached patch fixes both issues. For second issue it just prevents
> double call to uninit.
> 
> 
> ------------------------------------------------------------------------
> 
> Index: tv.c
> ===================================================================
> --- tv.c	(revision 21825)
> +++ tv.c	(working copy)
> @@ -480,6 +482,7 @@
>      sh_audio_t *sh_audio = NULL;
>      tvi_functions_t *funcs;
>      
> +    demuxer->priv=NULL;
>      if(!(tvh=tv_begin())) return NULL;
>      if (!tv_init(tvh)) return NULL;
>      if (!open_tv(tvh)){
> @@ -625,7 +628,9 @@
>  static void demux_close_tv(demuxer_t *demuxer)
>  {
>      tvi_handle_t *tvh=(tvi_handle_t*)(demuxer->priv);
> +    if (!tvh) return;
>      tvh->functions->uninit(tvh->priv);
> +    demuxer->priv=NULL;
>  }
>  
>  /* ================== STREAM_TV ===================== */
> @@ -668,7 +682,11 @@
>  
>  int tv_uninit(tvi_handle_t *tvh)
>  {
> -    return(tvh->functions->uninit(tvh->priv));
> +    if(!tvh) return 1;
> +    if (!tvh->priv) return 1;

if(!tvh || !tvh->priv) return 1;
but I have some doubt about the code quality of this double check

> +    int res=tvh->functions->uninit(tvh->priv);

c++ -ism

> +    if(res) tvh->priv=NULL;
> +    return res;
>  }
>  
-- 
"Without a frontend, mplayer is useless" - someone in mplayer-users