From 56185dedd2a075e5b7e72c18e766a60b890c14a1 Mon Sep 17 00:00:00 2001
From: Friedemann Kleint <Friedemann.Kleint@qt.io>
Date: Mon, 24 Apr 2017 13:22:15 +0200
Subject: DirectShow: Fix uninitialized memory read in
 DirectShowMediaTypeEnum::Next()

Newly allocated memory was passed to DirectShowMediaType::copy(), which calls
DirectShowMediaType::clear() on the target, which crashes when trying to
release a COM pointer.

Split out a DirectShowMediaType::copyToUninitialized() helper function
which does not call clear() for this purpose.

Task-number: QTBUG-59515
Change-Id: I2801f4ba2c8da618ff8a1c57c4cea215fff292b4
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
---
 src/plugins/directshow/helpers/directshowmediatype.cpp     | 5 +++++
 src/plugins/directshow/helpers/directshowmediatype.h       | 1 +
 src/plugins/directshow/helpers/directshowmediatypeenum.cpp | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/plugins/directshow')

diff --git a/src/plugins/directshow/helpers/directshowmediatype.cpp b/src/plugins/directshow/helpers/directshowmediatype.cpp
index d9ddf8248..65882806c 100644
--- a/src/plugins/directshow/helpers/directshowmediatype.cpp
+++ b/src/plugins/directshow/helpers/directshowmediatype.cpp
@@ -134,6 +134,11 @@ void DirectShowMediaType::copy(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *sourc
 
     clear(*target);
 
+    copyToUninitialized(target, source);
+}
+
+void DirectShowMediaType::copyToUninitialized(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source)
+{
     *target = *source;
 
     if (source->cbFormat > 0) {
diff --git a/src/plugins/directshow/helpers/directshowmediatype.h b/src/plugins/directshow/helpers/directshowmediatype.h
index 7849ca9b0..c590d406a 100644
--- a/src/plugins/directshow/helpers/directshowmediatype.h
+++ b/src/plugins/directshow/helpers/directshowmediatype.h
@@ -72,6 +72,7 @@ public:
 
     static void init(AM_MEDIA_TYPE *type);
     static void copy(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source);
+    static void copyToUninitialized(AM_MEDIA_TYPE *target, const AM_MEDIA_TYPE *source);
     static void move(AM_MEDIA_TYPE *target, AM_MEDIA_TYPE **source);
     static void move(AM_MEDIA_TYPE *target, AM_MEDIA_TYPE &source);
     static void clear(AM_MEDIA_TYPE &type);
diff --git a/src/plugins/directshow/helpers/directshowmediatypeenum.cpp b/src/plugins/directshow/helpers/directshowmediatypeenum.cpp
index a58993f7f..a42dfdca3 100644
--- a/src/plugins/directshow/helpers/directshowmediatypeenum.cpp
+++ b/src/plugins/directshow/helpers/directshowmediatypeenum.cpp
@@ -72,7 +72,7 @@ HRESULT DirectShowMediaTypeEnum::Next(ULONG cMediaTypes, AM_MEDIA_TYPE **ppMedia
 
         for (ULONG i = 0; i < count; ++i, ++m_index) {
             ppMediaTypes[i] = reinterpret_cast<AM_MEDIA_TYPE *>(CoTaskMemAlloc(sizeof(AM_MEDIA_TYPE)));
-            DirectShowMediaType::copy(ppMediaTypes[i], &m_mediaTypes.at(m_index));
+            DirectShowMediaType::copyToUninitialized(ppMediaTypes[i], &m_mediaTypes.at(m_index));
         }
 
         if (pcFetched)
-- 
cgit v1.2.3