From 77f1b05d2803685b751330382c9796932e3ea00c Mon Sep 17 00:00:00 2001 From: Michael Fabian 'Xaymar' Dirks Date: Wed, 18 Dec 2019 07:10:49 +0100 Subject: [PATCH] libobs: Fix corrupted pointers when removing properties When obs_properties_remove_by_name is called on any obs_properties_t*, it corrupts the pointers for first_property and last which end up pointing at either unallocated memory or randomly into the heap memory. Neither of these is a good thing, and it usually leads to rapid unscheduled program behavior, also known as crashing and security issues. This fixes the issue by first checking if the pointer stored in props->last is identical to &cur->next, then checking if we are the only element (cur is also prev element), and if we are then the pointer is fixed to point back at props->first_property. Additionally fixes props->first_property which was never updated either. --- libobs/obs-properties.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/libobs/obs-properties.c b/libobs/obs-properties.c index b52c6c46b..e0632323f 100644 --- a/libobs/obs-properties.c +++ b/libobs/obs-properties.c @@ -330,9 +330,32 @@ void obs_properties_remove_by_name(obs_properties_t *props, const char *name) while (cur) { if (strcmp(cur->name, name) == 0) { + // Fix props->last pointer. + if (props->last == &cur->next) { + if (cur == prev) { + // If we are the last entry and there + // is no previous entry, reset. + props->last = &props->first_property; + } else { + // If we are the last entry and there + // is a previous entry, update. + props->last = &prev->next; + } + } + + // Fix props->first_property. + if (props->first_property == cur) + props->first_property = cur->next; + + // Update the previous element next pointer with our + // next pointer. This is an automatic no-op if both + // elements alias the same memory. prev->next = cur->next; - cur->next = 0; + + // Finally clear our own next pointer and destroy. + cur->next = NULL; obs_property_destroy(cur); + break; }