moonlight-stream/moonlight-embedded
1
0
Fork 0
mirror of https://github.com/moonlight-stream/moonlight-embedded.git synced 2026-06-16 22:01:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix use-after-free bug in SPS processing

Browse Source
This commit is contained in:
Cameron Gutman
2015-08-15 00:58:32 -07:00
parent 7946e87446
commit 8d80cc3476
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
libgamestream/sps.c
+5 -4
View File
@@ -34,14 +34,15 @@ void gs_sps_init(int width, int height) {
PLENTRY gs_sps_fix(PLENTRY *head, int flags) { PLENTRY gs_sps_fix(PLENTRY *head, int flags) {
PLENTRY entry = *head; PLENTRY entry = *head;
const char naluHeader[] = {0x00, 0x00, 0x00, 0x01};
if (replay_sps == 1) { if (replay_sps == 1) {
PLENTRY replay_entry = (PLENTRY) malloc(sizeof(*replay_entry) + 128); PLENTRY replay_entry = (PLENTRY) malloc(sizeof(*replay_entry) + 128);
if (replay_entry == NULL) if (replay_entry == NULL)
return NULL; return NULL;
replay_entry->data = (char *) (entry + 1); replay_entry->data = (char *) (entry + 1);
char spsData[] = {0x00, 0x00, 0x00, 0x01, 0x67}; memcpy(replay_entry->data, naluHeader, sizeof(naluHeader));
memcpy(replay_entry->data, spsData, sizeof(spsData));
h264_stream->sps->profile_idc = H264_PROFILE_HIGH; h264_stream->sps->profile_idc = H264_PROFILE_HIGH;
replay_entry->length = write_nal_unit(h264_stream, replay_entry->data+4, 124) + 4; replay_entry->length = write_nal_unit(h264_stream, replay_entry->data+4, 124) + 4;
@@ -100,9 +101,9 @@ PLENTRY gs_sps_fix(PLENTRY *head, int flags) {
PLENTRY next = entry->next; PLENTRY next = entry->next;
free(entry); free(entry);
sps_entry->data = (char*) (entry + 1); sps_entry->data = (char*) (sps_entry + 1);
memcpy(sps_entry->data, naluHeader, sizeof(naluHeader));
sps_entry->length = write_nal_unit(h264_stream, sps_entry->data+4, 124) + 4; sps_entry->length = write_nal_unit(h264_stream, sps_entry->data+4, 124) + 4;
printf("Writen %d\n", sps_entry->length);
sps_entry->next = next; sps_entry->next = next;
entry = sps_entry; entry = sps_entry;
} else if ((entry->data[4] & 0x1F) == NAL_UNIT_TYPE_PPS) { } else if ((entry->data[4] & 0x1F) == NAL_UNIT_TYPE_PPS) {