Project

General

Profile

Bug #5410

Crash in src/descrambler/descrambler.c:1285

Added by Jerome Jerome almost 6 years ago. Updated almost 6 years ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Category:
Crashes
Target version:
-
Start date:
2018-12-09
Due date:
% Done:

0%

Estimated time:
Found in version:
master
Affected Versions:

Description

free() in line src/descrambler/descrambler.c:1285 will be called if des->last_data is NULL.


Files

bugfix.diff (480 Bytes) bugfix.diff Jerome Jerome, 2018-12-09 20:44

History

#1

Updated by Jerome Jerome almost 6 years ago

FIX:

--- src/descrambler/descrambler.c.orig 2018-12-06 20:09:19.754402210 0100
++ src/descrambler/descrambler.c 2018-12-09 21:35:53.211691464 0100
@ -1282,7 +1282,8 @
}
if (des->last_data == NULL || len != des->last_data_len ||
memcmp(des->last_data, ptr, len)) {
- free(des->last_data);
if (des->last_data)
+ free(des->last_data);
des->last_data = malloc(len);
if (des->last_data) {
memcpy(des->last_data, ptr, len);

#3

Updated by Pablo R. almost 6 years ago

Good point!

#4

Updated by Joe User almost 6 years ago

I do not think it affects any platforms for which tvheadend is built.
[[https://stackoverflow.com/questions/1938735/does-freeptr-where-ptr-is-null-corrupt-memory]]

#5

Updated by Luis Alves almost 6 years ago

Why not:

diff --git a/src/descrambler/descrambler.c b/src/descrambler/descrambler.c
index 63b70b205..9b06bf6c1 100644
--- a/src/descrambler/descrambler.c
+++ b/src/descrambler/descrambler.c
@@ -1282,8 +1282,7 @@ descrambler_table_callback
     }
     if (des->last_data == NULL || len != des->last_data_len ||
         memcmp(des->last_data, ptr, len)) {
-      free(des->last_data);
-      des->last_data = malloc(len);
+      des->last_data = realloc(des->last_data, len);
       if (des->last_data) {
         memcpy(des->last_data, ptr, len);
         des->last_data_len = len;

#6

Updated by Jaroslav Kysela almost 6 years ago

  • Status changed from New to Invalid

Also available in: Atom PDF