[MPlayer-dev-eng] [PATCH] demux_nut doublefree
Onur Küçük
onur at delipenguen.net
Sun Oct 12 18:40:44 CEST 2008
Hello,
While fiddling with nut I found that mplayer segfaults with double
free on playing [1]. Nutparse gives
nut/multimedia container
main_header at 0x19 [0x18 0x17 0x16 0x15 0x14 0x13 0x12 0x11 0x10 0xf
0xe 0xd 0xc 0xb 0xa] startcode: 0x4e4d7a561f5f04ad
forward_ptr: 74
version: 2
stream_count: 1
max_distance: 16383
time_base_count: 4095
time_base[0]: 1/2
time_base[1]: 5176953/1
time_base[2]: 3/0
time base values must not be zero
The problem occurs because when a parse error happens using nut,
demux_open_nut calls uninit and free, then demux_close_nut is called
and it also tries to uninit and free. Attached patch fixes the issue.
Since double free's can be nasty and might be security related, I have
sent this mail to security about 2 months ago, and pinged later on, but
got no answer, so I am sending to this list.
I am not sure if it can cause a security issue, but it fixes a
segfault on a crafted file.
[1] http://samples.mplayerhq.hu/A-codecs/sonic/sonic_lossy.nut
--
Onur Küçük Knowledge speaks,
<onur.--.-.delipenguen.net> but wisdom listens
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nut_double_free.patch
Type: text/x-diff
Size: 419 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/attachments/20081012/df8b5155/attachment.patch>
More information about the MPlayer-dev-eng
mailing list