Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#8724 closed defect (fixed)

Use after free in modules/demux/playlist/sgimb.c

Reported by: mkaplan Owned by: courmisch
Priority: normal Milestone: 2.0.7
Component: Demuxers: Playlist Version: master git
Severity: critical Keywords:
Cc: Difficulty: unknown
Platform(s): all Work status: Not started


Working off git, revision c432a4e1866d4eaace985b987380a8a8b642425c :

In modules/demux/playlist/sgimb.c:369-371

369: free( p_sys->psz_uri );
370: if( asprintf( &p_sys->psz_uri, "%s%%3FMeDiAbAsEshowingId=%d%%26MeDiAbAsEconcert%%3FMeDiAbAsE",
371:         p_sys->psz_uri, p_sys->i_sid ) == -1 )

The memory is freed, and then used as an argument for asprintf. If that address is used as the destination, this would not be a concern. However, in this case, it is also used as one of the arguments for the format string (see line 371), which is what makes this an instance of a use-after-free.

Change History (3)

comment:1 Changed 2 years ago by courmisch

  • Component changed from Stream output: Muxers to Demuxers: Playlist
  • Milestone changed from Bugs paradize to 2.1.0 bugs
  • Owner set to courmisch
  • Severity changed from normal to critical
  • Status changed from new to assigned

comment:2 Changed 2 years ago by courmisch

  • Milestone changed from 2.1.0 bugs to 2.0.7
  • Resolution set to fixed
  • Status changed from assigned to closed

comment:3 Changed 2 years ago by remi@…

commit b701ae9ee5a78ca4d04d8c00c6c248d082dcc3f7 Author: Rémi Denis-Courmont <remi@…> Date: Tue Jun 4 23:44:13 2013 +0300

sgimb: use after free (fixes #8724)

Note: See TracTickets for help on using tickets.