src/video_output/video_output.c: Fixed double free in filter removal

code
qt4/components/extended_panels.cpp: Improved some dagerous string
parsing code. This whole function looks very ad hoc to me at the
moment and should be rewritten in a more robust way. In particular
this function will misbehave if a video filter exists whose name is a
substring of another video filter. This change here just makes it less
likely to crash...

diff --git a/modules/gui/qt4/components/extended_panels.cpp b/modules/gui/qt4/components/extended_panels.cpp
index 37afab8b02b11560ef20e6abe493b7c96c429da1..5851b3b6a414a592a182e1b8e4aa287b8de491c9 100644 (file)
--- a/modules/gui/qt4/components/extended_panels.cpp
+++ b/modules/gui/qt4/components/extended_panels.cpp
@@ -130,21 +130,28 @@ static void ChangeVFiltersString( intf_thread_t *p_intf,
     {
         if( psz_parser )
         {
-            memmove( psz_parser, psz_parser + strlen(psz_name) +
-                            (*(psz_parser + strlen(psz_name)) == ':' ? 1 : 0 ),
-                            strlen(psz_parser + strlen(psz_name)) + 1 );
+            if( *(psz_parser + strlen(psz_name)) == ':' )
+            {
+                memmove( psz_parser, psz_parser + strlen(psz_name) + 1,
+                         strlen(psz_parser + strlen(psz_name) + 1 ) + 1 );
+            }
+            else
+            {
+                *psz_parser = '\0';
+            }
 
             /* Remove trailing : : */
-            if( *(psz_string+strlen(psz_string ) -1 ) == ':' )
+            if( strlen( psz_string ) > 0 &&
+                *( psz_string + strlen( psz_string ) -1 ) == ':' )
             {
-                *(psz_string+strlen(psz_string ) -1 ) = '\0';
+                *( psz_string + strlen( psz_string ) -1 ) = '\0';
             }
-         }
-         else
-         {
-             free( psz_string );
-             return;
-         }
+        }
+        else
+        {
+            free( psz_string );
+            return;
+        }
     }
     /* Vout is not kept, so put that in the config */
     config_PutPsz( p_intf, "video-filter", psz_string );

diff --git a/src/video_output/video_output.c b/src/video_output/video_output.c
index 30a091775858193d88db6cd9e67623146a30d8fb..bdbf603b5face35a9de69f9f0bac6aa16a0a39c6 100644 (file)
--- a/src/video_output/video_output.c
+++ b/src/video_output/video_output.c
@@ -1549,7 +1549,11 @@ static int ParseVideoFilter2Chain( vout_thread_t *p_vout, char *psz_vfilters )
         struct config_chain_t *p_cfg =
             p_vout->p_vfilters_cfg[p_vout->i_vfilters_cfg];
         config_ChainDestroy( p_cfg );
-        free( p_vout->psz_vfilters[p_vout->i_vfilters_cfg] );
+        if( p_vout->psz_vfilters[p_vout->i_vfilters_cfg] )
+        {
+            free( p_vout->psz_vfilters[p_vout->i_vfilters_cfg] );
+            p_vout->psz_vfilters[p_vout->i_vfilters_cfg] = NULL;
+        }
     }
     p_vout->i_vfilters_cfg = 0;
     if( psz_vfilters && *psz_vfilters )