[MPlayer-dev-eng] [Patch] input/input.c invalid use of free

[Fredrik Kuivinen]

Hi

In the end of mp_input_parse_cmd the following code snippet may be found:

for( ; i < MP_CMD_MAX_ARGS && cmd_def->args[i].type != -1 ; i++) {
    memcpy(&cmd->args[i],&cmd_def->args[i],sizeof(mp_cmd_arg_t));
    if(cmd_def->args[i].type == MP_CMD_ARG_STRING && cmd_def->args[i].v.s != NULL)
        cmd->args[i].v.s = strdup(cmd_def->args[i].v.s);
}

The bug is that the cmd_def->args[i] struct isn't copied when
cmd_def->args[i].type is -1. This results in a bug in mp_cmd_free if one of the
cmd->args[n].type is MP_CMD_ARG_STRING where i <= n < MP_CMD_MAX_ARGS. The
attached patch fixes this.

Btw In mp_input_parse_cmd errno is set to 0 and then atoi and atof is used.
After the calls to these functions errno is used to check if any error occured.
Quote from atoi(3):

The  atoi()  function  converts the initial portion of the
string pointed to by nptr to int.  The  behaviour  is  the
same as
      strtol(nptr, (char **)NULL, 10);
except that atoi() does not detect errors.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Same thing with atof. So the Right Thing To Do is to use strtol and strtod
instead.

/ Fredrik Kuivinen

-------------- next part --------------
Index: input/input.c
===================================================================
RCS file: /cvsroot/mplayer/main/input/input.c,v
retrieving revision 1.25
diff -u -3 -p -r1.25 input.c
--- input/input.c	19 Mar 2002 13:30:16 -0000	1.25
+++ input/input.c	19 Mar 2002 17:42:31 -0000
@@ -463,6 +463,9 @@ mp_input_parse_cmd(char* str) {
       cmd->args[i].v.s = strdup(cmd_def->args[i].v.s);
   }
 
+  if(i < MP_CMD_MAX_ARGS)
+      cmd->args[i].type = -1;
+      
   return cmd;
 }