diff options
author | Friedemann Kleint <Friedemann.Kleint@qt.io> | 2017-04-24 13:22:15 +0200 |
---|---|---|
committer | Friedemann Kleint <Friedemann.Kleint@qt.io> | 2017-04-25 12:11:32 +0000 |
commit | 56185dedd2a075e5b7e72c18e766a60b890c14a1 (patch) | |
tree | 2e7180eda06cb1259e6ae0636a2e468910debb8f | |
parent | 64e84dab2673020e4384ae36d9d1e9e4f0d8052d (diff) |
DirectShow: Fix uninitialized memory read in DirectShowMediaTypeEnum::Next()
Newly allocated memory was passed to DirectShowMediaType::copy(), which calls
DirectShowMediaType::clear() on the target, which crashes when trying to
release a COM pointer.
Split out a DirectShowMediaType::copyToUninitialized() helper function
which does not call clear() for this purpose.
Task-number: QTBUG-59515
Change-Id: I2801f4ba2c8da618ff8a1c57c4cea215fff292b4
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
-rw-r--r-- | src/plugins/directshow/helpers/directshowmediatype.cpp | 5 | ||||
-rw-r--r-- | src/plugins/directshow/helpers/directshowmediatype.h | 1 | ||||
-rw-r--r-- | src/plugins/directshow/helpers/directshowmediatypeenum.cpp | 2 |
3 files changed, 7 insertions, 1 deletions
diff --git a/src/plugins/directshow/helpers/directshowmediatype.cpp b/src/plugins/directshow/helpers/directshowmediatype.cpp index d9ddf8248..65882806c 100644 --- a/src/plugins/directshow/helpers/directshowmediatype.cpp +++ b/src/plugins/directshow/helpers/directshowmediatype.cpp @@ -134,6 +134,11 @@ void DirectShowMediaType::copy(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *sourc clear(*target); + copyToUninitialized(target, source); +} + +void DirectShowMediaType::copyToUninitialized(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source) +{ *target = *source; if (source->cbFormat > 0) { diff --git a/src/plugins/directshow/helpers/directshowmediatype.h b/src/plugins/directshow/helpers/directshowmediatype.h index 7849ca9b0..c590d406a 100644 --- a/src/plugins/directshow/helpers/directshowmediatype.h +++ b/src/plugins/directshow/helpers/directshowmediatype.h @@ -72,6 +72,7 @@ public: static void init(AM_MEDIA_TYPE *type); static void copy(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source); + static void copyToUninitialized(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source); static void move(AM_MEDIA_TYPE *target, AM_MEDIA_TYPE **source); static void move(AM_MEDIA_TYPE *target, AM_MEDIA_TYPE &source); static void clear(AM_MEDIA_TYPE &type); diff --git a/src/plugins/directshow/helpers/directshowmediatypeenum.cpp b/src/plugins/directshow/helpers/directshowmediatypeenum.cpp index a58993f7f..a42dfdca3 100644 --- a/src/plugins/directshow/helpers/directshowmediatypeenum.cpp +++ b/src/plugins/directshow/helpers/directshowmediatypeenum.cpp @@ -72,7 +72,7 @@ HRESULT DirectShowMediaTypeEnum::Next(ULONG cMediaTypes, AM_MEDIA_TYPE **ppMedia for (ULONG i = 0; i < count; ++i, ++m_index) { ppMediaTypes[i] = reinterpret_cast<AM_MEDIA_TYPE *>(CoTaskMemAlloc(sizeof(AM_MEDIA_TYPE))); - DirectShowMediaType::copy(ppMediaTypes[i], &m_mediaTypes.at(m_index)); + DirectShowMediaType::copyToUninitialized(ppMediaTypes[i], &m_mediaTypes.at(m_index)); } if (pcFetched) |