summaryrefslogtreecommitdiffstats
path: root/src/plugins/directshow/helpers
diff options
context:
space:
mode:
authorFriedemann Kleint <Friedemann.Kleint@qt.io>2017-04-24 13:22:15 +0200
committerFriedemann Kleint <Friedemann.Kleint@qt.io>2017-04-25 12:11:32 +0000
commit56185dedd2a075e5b7e72c18e766a60b890c14a1 (patch)
tree2e7180eda06cb1259e6ae0636a2e468910debb8f /src/plugins/directshow/helpers
parent64e84dab2673020e4384ae36d9d1e9e4f0d8052d (diff)
DirectShow: Fix uninitialized memory read in DirectShowMediaTypeEnum::Next()
Newly allocated memory was passed to DirectShowMediaType::copy(), which calls DirectShowMediaType::clear() on the target, which crashes when trying to release a COM pointer. Split out a DirectShowMediaType::copyToUninitialized() helper function which does not call clear() for this purpose. Task-number: QTBUG-59515 Change-Id: I2801f4ba2c8da618ff8a1c57c4cea215fff292b4 Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
Diffstat (limited to 'src/plugins/directshow/helpers')
-rw-r--r--src/plugins/directshow/helpers/directshowmediatype.cpp5
-rw-r--r--src/plugins/directshow/helpers/directshowmediatype.h1
-rw-r--r--src/plugins/directshow/helpers/directshowmediatypeenum.cpp2
3 files changed, 7 insertions, 1 deletions
diff --git a/src/plugins/directshow/helpers/directshowmediatype.cpp b/src/plugins/directshow/helpers/directshowmediatype.cpp
index d9ddf8248..65882806c 100644
--- a/src/plugins/directshow/helpers/directshowmediatype.cpp
+++ b/src/plugins/directshow/helpers/directshowmediatype.cpp
@@ -134,6 +134,11 @@ void DirectShowMediaType::copy(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *sourc
clear(*target);
+ copyToUninitialized(target, source);
+}
+
+void DirectShowMediaType::copyToUninitialized(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source)
+{
*target = *source;
if (source->cbFormat > 0) {
diff --git a/src/plugins/directshow/helpers/directshowmediatype.h b/src/plugins/directshow/helpers/directshowmediatype.h
index 7849ca9b0..c590d406a 100644
--- a/src/plugins/directshow/helpers/directshowmediatype.h
+++ b/src/plugins/directshow/helpers/directshowmediatype.h
@@ -72,6 +72,7 @@ public:
static void init(AM_MEDIA_TYPE *type);
static void copy(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source);
+ static void copyToUninitialized(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source);
static void move(AM_MEDIA_TYPE *target, AM_MEDIA_TYPE **source);
static void move(AM_MEDIA_TYPE *target, AM_MEDIA_TYPE &source);
static void clear(AM_MEDIA_TYPE &type);
diff --git a/src/plugins/directshow/helpers/directshowmediatypeenum.cpp b/src/plugins/directshow/helpers/directshowmediatypeenum.cpp
index a58993f7f..a42dfdca3 100644
--- a/src/plugins/directshow/helpers/directshowmediatypeenum.cpp
+++ b/src/plugins/directshow/helpers/directshowmediatypeenum.cpp
@@ -72,7 +72,7 @@ HRESULT DirectShowMediaTypeEnum::Next(ULONG cMediaTypes, AM_MEDIA_TYPE **ppMedia
for (ULONG i = 0; i < count; ++i, ++m_index) {
ppMediaTypes[i] = reinterpret_cast<AM_MEDIA_TYPE *>(CoTaskMemAlloc(sizeof(AM_MEDIA_TYPE)));
- DirectShowMediaType::copy(ppMediaTypes[i], &m_mediaTypes.at(m_index));
+ DirectShowMediaType::copyToUninitialized(ppMediaTypes[i], &m_mediaTypes.at(m_index));
}
if (pcFetched)