After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 774287 - hls: gst_m3u8_has_next_fragment crash
hls: gst_m3u8_has_next_fragment crash
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gst-plugins-bad
1.9.90
Other All
: Normal critical
: 1.10.1
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-11-11 17:37 UTC by Aleksandr
Modified: 2016-11-12 08:39 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Aleksandr 2016-11-11 17:37:17 UTC 
Function 'gst_m3u8_has_next_fragment' in 'gst-plugins-bad-1.9.90\ext\hls\m3u8.c' periodically crashes the program when cur=NULL
    .text:6B40225F     mov     edi, [cur+4]			 

gboolean gst_m3u8_has_next_fragment (GstM3U8 * m3u8, gboolean forward)
{
    ...
    cur = m3u8_find_next_fragment (m3u8, forward);  <-- Can return NULL
    ...
    have_next = (forward && cur->next) || (!forward && cur->prev); <-- CRASH!
    ...
}

The value 'cur' must be checked for NULL and so expression for 'have_next' will look like:
    have_next = cur && ((forward && cur->next) || (!forward && cur->prev));
Comment 1 Sebastian Dröge (slomo) 2016-11-12 08:39:22 UTC 
commit 31892110bc3dcb04ef9824ca708d1e699bd0869e
Author: Sebastian Dröge <sebastian@centricular.com>
Date:   Sat Nov 12 10:38:04 2016 +0200

    hlsdemux: Fix NULL pointer dereference when checking if there is a next fragment
    
    Thanks to Aleksandr <tumaleksandr@yandex.ua> for reporting and
    suggesting the fix.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=774287