libobs: Fix corrupted pointers when removing properties

When obs_properties_remove_by_name is called on any obs_properties_t*, it corrupts the pointers for first_property and last which end up pointing at either unallocated memory or randomly into the heap memory. Neither of these is a good thing, and it usually leads to rapid unscheduled program behavior, also known as crashing and security issues. This fixes the issue by first checking if the pointer stored in props->last is identical to &cur->next, then checking if we are the only element (cur is also prev element), and if we are then the pointer is fixed to point back at props->first_property. Additionally fixes props->first_property which was never updated either.
2019-12-18 07:10:49 +01:00 · 2019-12-18 07:10:49 +01:00 · 77f1b05d28
commit 77f1b05d28
parent 4b3fbb3062
1 changed files with 24 additions and 1 deletions
--- a/libobs/obs-properties.c
+++ b/libobs/obs-properties.c
@ -330,9 +330,32 @@ void obs_properties_remove_by_name(obs_properties_t *props, const char *name)

 	while (cur) {
 		if (strcmp(cur->name, name) == 0) {
+			// Fix props->last pointer.
+			if (props->last == &cur->next) {
+				if (cur == prev) {
+					// If we are the last entry and there
+					// is no previous entry, reset.
+					props->last = &props->first_property;
+				} else {
+					// If we are the last entry and there
+					// is a previous entry, update.
+					props->last = &prev->next;
+				}
+			}
+
+			// Fix props->first_property.
+			if (props->first_property == cur)
+				props->first_property = cur->next;
+
+			// Update the previous element next pointer with our
+			// next pointer. This is an automatic no-op if both
+			// elements alias the same memory.
 			prev->next = cur->next;
-			cur->next = 0;
+
+			// Finally clear our own next pointer and destroy.
+			cur->next = NULL;
 			obs_property_destroy(cur);
+
 			break;
 		}