From 7142214243bd052bc9108247cc036b77f51f7669 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Wed, 18 Dec 2019 18:44:21 +0100
Subject: options: fix UB/crash in key/values parser

keyvalue_list_find_key() was called on a "partially" constructed list,
because the terminating NULL was added only later. Didn't I say this
code is cursed?

Fixes: #7273
---
 options/m_option.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/options/m_option.c b/options/m_option.c
index 19802f9fc4..3f6fae8e1a 100644
--- a/options/m_option.c
+++ b/options/m_option.c
@@ -1714,6 +1714,8 @@ static int parse_keyvalue_list(struct mp_log *log, const m_option_t *opt,
             }
             MP_TARRAY_APPEND(NULL, lst, num, bstrto0(NULL, key));
             MP_TARRAY_APPEND(NULL, lst, num, bstrto0(NULL, val));
+            MP_TARRAY_APPEND(NULL, lst, num, NULL);
+            num -= 1;
         }
 
         if (!bstr_eatstart0(&param, ",") && !bstr_eatstart0(&param, ":"))
@@ -1722,8 +1724,6 @@ static int parse_keyvalue_list(struct mp_log *log, const m_option_t *opt,
         mp_warn(log, "Passing more than 1 argument to %.*s is deprecated!\n",
                 BSTR_P(name));
     }
-    if (dst)
-        MP_TARRAY_APPEND(NULL, lst, num, NULL);
 
     if (param.len) {
         mp_err(log, "Unparseable garbage at end of option value: '%.*s'\n",
-- 
cgit v1.2.3