diff options
author | wm4 <wm4@nowhere> | 2019-12-18 18:44:21 +0100 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2019-12-18 18:44:21 +0100 |
commit | 7142214243bd052bc9108247cc036b77f51f7669 (patch) | |
tree | 251b8afc3fd1952457025cce91f723ab4be5f5e5 /options/m_option.c | |
parent | 09ea3a424fee80636f38e6615af5fbe8a3bdb896 (diff) | |
download | mpv-7142214243bd052bc9108247cc036b77f51f7669.tar.bz2 mpv-7142214243bd052bc9108247cc036b77f51f7669.tar.xz |
options: fix UB/crash in key/values parser
keyvalue_list_find_key() was called on a "partially" constructed list,
because the terminating NULL was added only later. Didn't I say this
code is cursed?
Fixes: #7273
Diffstat (limited to 'options/m_option.c')
-rw-r--r-- | options/m_option.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/options/m_option.c b/options/m_option.c index 19802f9fc4..3f6fae8e1a 100644 --- a/options/m_option.c +++ b/options/m_option.c @@ -1714,6 +1714,8 @@ static int parse_keyvalue_list(struct mp_log *log, const m_option_t *opt, } MP_TARRAY_APPEND(NULL, lst, num, bstrto0(NULL, key)); MP_TARRAY_APPEND(NULL, lst, num, bstrto0(NULL, val)); + MP_TARRAY_APPEND(NULL, lst, num, NULL); + num -= 1; } if (!bstr_eatstart0(¶m, ",") && !bstr_eatstart0(¶m, ":")) @@ -1722,8 +1724,6 @@ static int parse_keyvalue_list(struct mp_log *log, const m_option_t *opt, mp_warn(log, "Passing more than 1 argument to %.*s is deprecated!\n", BSTR_P(name)); } - if (dst) - MP_TARRAY_APPEND(NULL, lst, num, NULL); if (param.len) { mp_err(log, "Unparseable garbage at end of option value: '%.*s'\n", |