input: fix use after free with legacy commands

To handle legacy commands, string replacement is used; the modified string is returned by parse_cmd_str(), but it also frees all temporary memory, which includes the replaced string. Closes #1075.
2014-09-08 15:13:11 +02:00 · 2014-09-08 15:13:11 +02:00 · 4ef531f815
parent 3b5f28bd0f
commit 4ef531f815
1 changed files with 11 additions and 7 deletions
--- a/input/cmd_parse.c
+++ b/input/cmd_parse.c
@ -242,27 +242,28 @@ error:
    return NULL;
 }

-static struct mp_cmd *parse_cmd_str(struct mp_log *log, bstr *str, const char *loc)
+static struct mp_cmd *parse_cmd_str(struct mp_log *log, void *tmp,
+                                    bstr *str, const char *loc)
 {
    struct parse_ctx ctx = {
        .log = log,
        .loc = loc,
-        .tmp = talloc_new(NULL),
+        .tmp = tmp,
        .str = *str,
        .start = *str,
    };
    struct mp_cmd *res = parse_cmd(&ctx, MP_ON_OSD_AUTO | MP_EXPAND_PROPERTIES);
-    talloc_free(ctx.tmp);
    *str = ctx.str;
    return res;
 }

 mp_cmd_t *mp_input_parse_cmd_(struct mp_log *log, bstr str, const char *loc)
 {
+    void *tmp = talloc_new(NULL);
    bstr original = str;
-    struct mp_cmd *cmd = parse_cmd_str(log, &str, loc);
+    struct mp_cmd *cmd = parse_cmd_str(log, tmp, &str, loc);
    if (!cmd)
-        return NULL;
+        goto done;

    // Handle "multi" commands
    struct mp_cmd **p_prev = NULL;
@ -287,16 +288,19 @@ mp_cmd_t *mp_input_parse_cmd_(struct mp_log *log, bstr str, const char *loc)
            p_prev = &cmd->queue_next;
            cmd = list;
        }
-        struct mp_cmd *sub = parse_cmd_str(log, &str, loc);
+        struct mp_cmd *sub = parse_cmd_str(log, tmp, &str, loc);
        if (!sub) {
            talloc_free(cmd);
-            return NULL;
+            cmd = NULL;
+            goto done;
        }
        talloc_steal(cmd, sub);
        *p_prev = sub;
        p_prev = &sub->queue_next;
    }

+done:
+    talloc_free(tmp);
    return cmd;
 }