[DVDnav-discuss] dvdnav: fix invalid free in dvdnav_free_dup

[John Stebbins]

libdvdnav | branch: master | John Stebbins <jstebbins at jetheaddev.com> | Fri Aug 22 12:06:41 2014 -0700| [93f9aa5947321f90d19f74a60eeaceff8fd09f71] | committer: John Stebbins

dvdnav: fix invalid free in dvdnav_free_dup

When path was changed from char[] to char*, a free was added to
dvdnav_free_dup, but the string was not copied in dvdnav_dup resulting
in a double free.

> http://git.videolan.org/gitweb.cgi/libdvdnav.git/?a=commit;h=93f9aa5947321f90d19f74a60eeaceff8fd09f71
---

 src/dvdnav.c |   27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/dvdnav.c b/src/dvdnav.c
index 6f32550..a5fac25 100644
--- a/src/dvdnav.c
+++ b/src/dvdnav.c
@@ -74,27 +74,40 @@ dvdnav_status_t dvdnav_dup(dvdnav_t **dest, dvdnav_t *src) {
 
   (*dest) = NULL;
   this = (dvdnav_t*)malloc(sizeof(dvdnav_t));
-  if(!this)
+  if (!this)
     return DVDNAV_STATUS_ERR;
 
   memcpy(this, src, sizeof(dvdnav_t));
   this->file = NULL;
+  this->vm = NULL;
+  this->path = NULL;
+  this->cache = NULL;
 
   pthread_mutex_init(&this->vm_lock, NULL);
 
   this->vm = vm_new_copy(src->vm);
-  if(!this->vm) {
-    printerr("Error initialising the DVD VM.");
-    pthread_mutex_destroy(&this->vm_lock);
-    free(this);
-    return DVDNAV_STATUS_ERR;
-  }
+  if (!this->vm)
+    goto fail;
+
+  this->path = strdup(src->path);
+  if (!this->path)
+    goto fail;
 
   /* Start the read-ahead cache. */
   this->cache = dvdnav_read_cache_new(this);
+  if (!this->cache)
+    goto fail;
 
   (*dest) = this;
   return DVDNAV_STATUS_OK;
+
+fail:
+    printerr("Error initialising the DVD VM.");
+    pthread_mutex_destroy(&this->vm_lock);
+    vm_free_vm(this->vm);
+    free(this->path);
+    free(this);
+    return DVDNAV_STATUS_ERR;
 }
 
 dvdnav_status_t dvdnav_free_dup(dvdnav_t *this) {