From b062c3b199cc6bb2cc33d6a28dacb6dc48c9c370 Mon Sep 17 00:00:00 2001 From: John Stebbins Date: Sun, 8 Jan 2017 12:30:55 -0700 Subject: [PATCH] json: fix use of freed memory audio.out.name was getting assigned a string from a json object that could be freed resulting in a double free. also make unpack_s check for const char * type to help prevent such abuses in the future. --- libhb/hb_json.c | 41 +++++++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/libhb/hb_json.c b/libhb/hb_json.c index 263999f1a..5321d31a1 100644 --- a/libhb/hb_json.c +++ b/libhb/hb_json.c @@ -718,7 +718,7 @@ static double* unpack_f(double *f) { return f; } static int* unpack_i(int *i) { return i; } static json_int_t* unpack_I(json_int_t *i) { return i; } static int * unpack_b(int *b) { return b; } -static char** unpack_s(char **s) { return s; } +static const char** unpack_s(const char **s){ return s; } static json_t** unpack_o(json_t** o) { return o; } void hb_json_job_scan( hb_handle_t * h, const char * json_job ) @@ -730,7 +730,7 @@ void hb_json_job_scan( hb_handle_t * h, const char * json_job ) dict = hb_value_json(json_job); int title_index; - char *path = NULL; + const char *path = NULL; result = json_unpack_ex(dict, &error, 0, "{s:{s:s, s:i}}", "Source", @@ -812,17 +812,17 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict ) hb_value_array_t * filter_list = NULL; hb_value_t * mux = NULL, * vcodec = NULL; hb_value_t * acodec_copy_mask = NULL, * acodec_fallback = NULL; - char * destfile = NULL; - char * range_type = NULL; - char * video_preset = NULL, * video_tune = NULL; - char * video_profile = NULL, * video_level = NULL; - char * video_options = NULL; + const char * destfile = NULL; + const char * range_type = NULL; + const char * video_preset = NULL, * video_tune = NULL; + const char * video_profile = NULL, * video_level = NULL; + const char * video_options = NULL; int subtitle_search_burn = 0; - char * meta_name = NULL, * meta_artist = NULL; - char * meta_album_artist = NULL, * meta_release = NULL; - char * meta_comment = NULL, * meta_genre = NULL; - char * meta_composer = NULL, * meta_desc = NULL; - char * meta_long_desc = NULL; + const char * meta_name = NULL, * meta_artist = NULL; + const char * meta_album_artist = NULL, * meta_release = NULL; + const char * meta_comment = NULL, * meta_genre = NULL; + const char * meta_composer = NULL, * meta_desc = NULL; + const char * meta_long_desc = NULL; json_int_t range_start = -1, range_end = -1, range_seek_points = -1; int vbitrate = -1; double vquality = HB_INVALID_VIDEO_QUALITY; @@ -1117,7 +1117,7 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict ) for (ii = 0; ii < count; ii++) { chapter_dict = hb_value_array_get(chapter_list, ii); - char *name = NULL; + const char *name = NULL; result = json_unpack_ex(chapter_dict, &error, 0, "{s:s}", "Name", unpack_s(&name)); if (result < 0) @@ -1235,12 +1235,13 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict ) hb_audio_config_t audio; hb_value_t *acodec = NULL, *samplerate = NULL, *mixdown = NULL; hb_value_t *dither = NULL; + const char *name = NULL; hb_audio_config_init(&audio); result = json_unpack_ex(audio_dict, &error, 0, "{s:i, s?s, s?o, s?F, s?F, s?o, s?b, s?o, s?o, s?i, s?F, s?F}", "Track", unpack_i(&audio.in.track), - "Name", unpack_s(&audio.out.name), + "Name", unpack_s(&name), "Encoder", unpack_o(&acodec), "Gain", unpack_f(&audio.out.gain), "DRC", unpack_f(&audio.out.dynamic_range_compression), @@ -1307,6 +1308,10 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict ) audio.out.dither_method = hb_value_get_int(dither); } } + if (name != NULL && name[0] != 0) + { + audio.out.name = strdup(name); + } if (audio.in.track >= 0) { audio.out.track = ii; @@ -1341,7 +1346,7 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict ) hb_subtitle_config_t sub_config; int track = -1; int burn = 0; - char *srtfile = NULL; + const char *srtfile = NULL; json_int_t offset = 0; result = json_unpack_ex(subtitle_dict, &error, 0, @@ -1385,8 +1390,8 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict ) strncpy(sub_config.src_filename, srtfile, 255); sub_config.src_filename[255] = 0; - char *srtlang = "und"; - char *srtcodeset = "UTF-8"; + const char *srtlang = "und"; + const char *srtcodeset = "UTF-8"; result = json_unpack_ex(subtitle_dict, &error, 0, "{s?b, s?b, s?I, " // Common "s?{s?s, s?s, s?s}}", // SRT @@ -1752,7 +1757,7 @@ hb_image_t* hb_json_to_image(char *json_image) for (ii = 0; ii < count; ii++) { plane_dict = hb_value_array_get(planes, ii); - char *data = NULL; + const char *data = NULL; int size; json_result = json_unpack_ex(plane_dict, &error, 0, "{s:i, s:s}", -- 2.40.0