From 6b35f6ff09419006d8af86cfb507fc644669a118 Mon Sep 17 00:00:00 2001
From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <remi@remlab.net>
Date: Sat, 29 May 2010 18:25:36 +0300
Subject: [PATCH] config_PutPsz: fix potential use-after-free

The new config value is duplicated, and the copy is stored to the
configuration. After the configuration R/W lock is released, we have no
warranty that another thread does not change the same configuration
item, and free our own copy. Admittedly, this is very unlikely.

Instead, we can simply pass the original string from the caller to the
callback - that one must remain valid through the config_PutPsz()
function call by definition.
---
 src/config/core.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/config/core.c b/src/config/core.c
index 24925efa8e..b32577c1e6 100644
--- a/src/config/core.c
+++ b/src/config/core.c
@@ -253,7 +253,7 @@ void config_PutPsz( vlc_object_t *p_this,
                       const char *psz_name, const char *psz_value )
 {
     module_config_t *p_config;
-    vlc_value_t oldval, val;
+    vlc_value_t oldval;
 
     p_config = config_FindConfig( p_this, psz_name );
 
@@ -283,13 +283,13 @@ void config_PutPsz( vlc_object_t *p_this,
 
     p_config->value.psz = str;
     p_config->b_dirty = true;
-
-    val.psz_string = (char *)p_config->value.psz;
-
     vlc_rwlock_unlock (&config_lock);
 
     if( p_config->pf_callback )
     {
+        vlc_value_t val;
+
+        val.psz_string = (char *)psz_value;
         p_config->pf_callback( p_this, psz_name, oldval, val,
                                p_config->p_callback_data );
     }
-- 
2.39.2