[MPlayer-users] patch to fix illegal memory access in mplayer (fwd)

Nilmoni Deb ndeb at ece.cmu.edu
Sun Oct 6 16:50:02 CEST 2002 

Hi,
	I posted this fix in mplayer-dev-eng but got the message that its
a subscriber-only list now and my post will go thru a moderator if it has
to be posted. Now, I don't know how frequently the moderator(s) filter
messages since i am yet to see my post appearing. U all can check if the
fix is important enough and speed up things.

thanks
- Nil
	

---------- Forwarded message ----------
Date: Sun, 6 Oct 2002 01:28:46 -0400 (EDT)
From: Nilmoni Deb <ndeb at ece.cmu.edu>
To: mplayer-dev-eng at mplayerhq.hu
Subject: patch to fix illegal memory access in mplayer


Hi,
	I was getting segmentation faults with current cvs. The segfaults
are highly reproducible. I used Electric fence (instead of gdb) to catch
the exact place where the illegal memory access was occurring. I tracked
it down to these lines in mplayer.c (cvs v1.587).

   2640 // time to uninit all, except global stuff:
   2641 uninit_player(INITED_ALL-(INITED_GUI+INITED_LIRC+INITED_INPUT));
   2642 

This line frees the structures pointed to by the pointers:
	sh_audio
	sh_video
But printf statements show that these pointers are not initialized to NULL
after this uninit operation. Later on, in these lines:

   2694   current_module="uninit_acodec";
   2695   if(sh_audio) uninit_audio(sh_audio);
   2696   sh_audio=NULL;
   2697 
   2698   current_module="uninit_vcodec";
   2699   if(sh_video) uninit_video(sh_video);
   2700   sh_video=NULL;
   2701 

these pointers are freed a _second_ time. This implies a double free!!
Here is the patch to fix this:


--- mplayer.c   Sun Oct  6 00:35:54 2002
+++ mplayer.c.new       Sun Oct  6 00:48:12 2002
@@ -2639,6 +2639,8 @@
 
 // time to uninit all, except global stuff:
 uninit_player(INITED_ALL-(INITED_GUI+INITED_LIRC+INITED_INPUT));
+sh_audio=NULL;
+sh_video=NULL;
 
 if(eof == PT_NEXT_ENTRY || eof == PT_PREV_ENTRY) {
   eof = eof == PT_NEXT_ENTRY ? 1 : -1;


The above patch removes the seg faults but I think this NULL assignment
should be taken care of by the audio_out->uninit() function (and other 
similar functions) call in uninit_player().

Also, I recommend using electric fence for catching memory abuse as in
many cases the program may not segfault (lucky escape !!) for the
particular movie file, but electric fence will catch the abuse anyhow.

thanks
- Nil

More information about the MPlayer-users mailing list