Use after free in modules/demux/playlist/sgimb.c
Working off git, revision c432a4e1 :
In modules/demux/playlist/sgimb.c:369-371
369: free( p_sys->psz_uri );
370: if( asprintf( &p_sys->psz_uri, "%s%%3FMeDiAbAsEshowingId=%d%%26MeDiAbAsEconcert%%3FMeDiAbAsE",
371: p_sys->psz_uri, p_sys->i_sid ) == -1 )
The memory is freed, and then used as an argument for asprintf
. If that address is used as the destination, this would not be a concern. However, in this case, it is also used as one of the arguments for the format string (see line 371), which is what makes this an instance of a use-after-free.