config_PutPsz: fix potential use-after-free

The new config value is duplicated, and the copy is stored to the
configuration. After the configuration R/W lock is released, we have no
warranty that another thread does not change the same configuration
item, and free our own copy. Admittedly, this is very unlikely.

Instead, we can simply pass the original string from the caller to the
callback - that one must remain valid through the config_PutPsz()
function call by definition.

diff --git a/src/config/core.c b/src/config/core.c
index 24925efa8ea6bc4a3a6fcc1077ae7da40036c264..b32577c1e61398bef2b1fe4253c2954b8437fa7e 100644 (file)
--- a/src/config/core.c
+++ b/src/config/core.c
@@ -253,7 +253,7 @@ void config_PutPsz( vlc_object_t *p_this,
                       const char *psz_name, const char *psz_value )
 {
     module_config_t *p_config;
-    vlc_value_t oldval, val;
+    vlc_value_t oldval;
 
     p_config = config_FindConfig( p_this, psz_name );
 
@@ -283,13 +283,13 @@ void config_PutPsz( vlc_object_t *p_this,
 
     p_config->value.psz = str;
     p_config->b_dirty = true;
-
-    val.psz_string = (char *)p_config->value.psz;
-
     vlc_rwlock_unlock (&config_lock);
 
     if( p_config->pf_callback )
     {
+        vlc_value_t val;
+
+        val.psz_string = (char *)psz_value;
         p_config->pf_callback( p_this, psz_name, oldval, val,
                                p_config->p_callback_data );
     }