[MPlayer-dev-eng] [PATCH] demux_nut doublefree

[Onur Küçük <onur@xxxxxxxxxxxxxxx>]

 Hello,

 While fiddling with nut I found that mplayer segfaults with double
free on playing [1]. Nutparse gives

 nut/multimedia container
main_header at 0x19 [0x18 0x17 0x16 0x15 0x14 0x13 0x12 0x11 0x10 0xf
0xe 0xd 0xc 0xb 0xa] startcode: 0x4e4d7a561f5f04ad
  forward_ptr: 74
  version: 2
  stream_count: 1
  max_distance: 16383
  time_base_count: 4095
  time_base[0]: 1/2
  time_base[1]: 5176953/1
  time_base[2]: 3/0
time base values must not be zero

 The problem occurs because when a parse error happens using nut,
demux_open_nut calls uninit and free, then demux_close_nut is called
and it also tries to uninit and free. Attached patch fixes the issue.

 Since double free's can be nasty and might be security related, I have
sent this mail to security about 2 months ago, and pinged later on, but
got no answer, so I am sending to this list.

 I am not sure if it can cause a security issue, but it fixes a
segfault on a crafted file.

[1] http://samples.mplayerhq.hu/A-codecs/sonic/sonic_lossy.nut

-- 
 Onur Küçük                                      Knowledge speaks,
 <onur.--.-.delipenguen.net>                     but wisdom listens

Index: libmpdemux/demux_nut.c
===================================================================
--- libmpdemux/demux_nut.c	(revision 27471)
+++ libmpdemux/demux_nut.c	(working copy)
@@ -86,8 +86,6 @@
 	while ((ret = nut_read_headers(nut, &s, NULL)) == NUT_ERR_EAGAIN);
 	if (ret) {
 		mp_msg(MSGT_HEADER, MSGL_ERR, "NUT error: %s\n", nut_error(ret));
-		nut_demuxer_uninit(nut);
-		free(priv);
 		return NULL;
 	}
 

_______________________________________________
MPlayer-dev-eng mailing list
MPlayer-dev-eng@xxxxxxxxxxxx
https://lists.mplayerhq.hu/mailman/listinfo/mplayer-dev-eng