json: fix use of freed memory

audio.out.name was getting assigned a string from a json object that
could be freed resulting in a double free.

also make unpack_s check for const char * type to help prevent such
abuses in the future.

1 files changed, 23 insertions, 18 deletions

diff --git a/libhb/hb_json.c b/libhb/hb_json.c
index 263999f1a..5321d31a1 100644
--- a/libhb/hb_json.c
+++ b/libhb/hb_json.c
@@ -718,7 +718,7 @@ static double*      unpack_f(double *f)     { return f; }
 static int*         unpack_i(int *i)        { return i; }
 static json_int_t*  unpack_I(json_int_t *i) { return i; }
 static int *        unpack_b(int *b)        { return b; }
-static char**       unpack_s(char **s)      { return s; }
+static const char** unpack_s(const char **s){ return s; }
 static json_t**     unpack_o(json_t** o)    { return o; }
 
 void hb_json_job_scan( hb_handle_t * h, const char * json_job )
@@ -730,7 +730,7 @@ void hb_json_job_scan( hb_handle_t * h, const char * json_job )
     dict = hb_value_json(json_job);
 
     int title_index;
-    char *path = NULL;
+    const char *path = NULL;
 
     result = json_unpack_ex(dict, &error, 0, "{s:{s:s, s:i}}",
                             "Source",
@@ -812,17 +812,17 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict )
     hb_value_array_t * filter_list = NULL;
     hb_value_t       * mux = NULL, * vcodec = NULL;
     hb_value_t       * acodec_copy_mask = NULL, * acodec_fallback = NULL;
-    char             * destfile = NULL;
-    char             * range_type = NULL;
-    char             * video_preset = NULL, * video_tune = NULL;
-    char             * video_profile = NULL, * video_level = NULL;
-    char             * video_options = NULL;
+    const char       * destfile = NULL;
+    const char       * range_type = NULL;
+    const char       * video_preset = NULL, * video_tune = NULL;
+    const char       * video_profile = NULL, * video_level = NULL;
+    const char       * video_options = NULL;
     int                subtitle_search_burn = 0;
-    char             * meta_name = NULL, * meta_artist = NULL;
-    char             * meta_album_artist = NULL, * meta_release = NULL;
-    char             * meta_comment = NULL, * meta_genre = NULL;
-    char             * meta_composer = NULL, * meta_desc = NULL;
-    char             * meta_long_desc = NULL;
+    const char       * meta_name = NULL, * meta_artist = NULL;
+    const char       * meta_album_artist = NULL, * meta_release = NULL;
+    const char       * meta_comment = NULL, * meta_genre = NULL;
+    const char       * meta_composer = NULL, * meta_desc = NULL;
+    const char       * meta_long_desc = NULL;
     json_int_t         range_start = -1, range_end = -1, range_seek_points = -1;
     int                vbitrate = -1;
     double             vquality = HB_INVALID_VIDEO_QUALITY;
@@ -1117,7 +1117,7 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict )
         for (ii = 0; ii < count; ii++)
         {
             chapter_dict = hb_value_array_get(chapter_list, ii);
-            char *name = NULL;
+            const char *name = NULL;
             result = json_unpack_ex(chapter_dict, &error, 0,
                                     "{s:s}", "Name", unpack_s(&name));
             if (result < 0)
@@ -1235,12 +1235,13 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict )
             hb_audio_config_t audio;
             hb_value_t *acodec = NULL, *samplerate = NULL, *mixdown = NULL;
             hb_value_t *dither = NULL;
+            const char *name = NULL;
 
             hb_audio_config_init(&audio);
             result = json_unpack_ex(audio_dict, &error, 0,
                 "{s:i, s?s, s?o, s?F, s?F, s?o, s?b, s?o, s?o, s?i, s?F, s?F}",
                 "Track",                unpack_i(&audio.in.track),
-                "Name",                 unpack_s(&audio.out.name),
+                "Name",                 unpack_s(&name),
                 "Encoder",              unpack_o(&acodec),
                 "Gain",                 unpack_f(&audio.out.gain),
                 "DRC",                  unpack_f(&audio.out.dynamic_range_compression),
@@ -1307,6 +1308,10 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict )
                     audio.out.dither_method = hb_value_get_int(dither);
                 }
             }
+            if (name != NULL && name[0] != 0)
+            {
+                audio.out.name = strdup(name);
+            }
             if (audio.in.track >= 0)
             {
                 audio.out.track = ii;
@@ -1341,7 +1346,7 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict )
             hb_subtitle_config_t sub_config;
             int track = -1;
             int burn = 0;
-            char *srtfile = NULL;
+            const char *srtfile = NULL;
             json_int_t offset = 0;
 
             result = json_unpack_ex(subtitle_dict, &error, 0,
@@ -1385,8 +1390,8 @@ hb_job_t* hb_dict_to_job( hb_handle_t * h, hb_dict_t *dict )
                 strncpy(sub_config.src_filename, srtfile, 255);
                 sub_config.src_filename[255] = 0;
 
-                char *srtlang = "und";
-                char *srtcodeset = "UTF-8";
+                const char *srtlang = "und";
+                const char *srtcodeset = "UTF-8";
                 result = json_unpack_ex(subtitle_dict, &error, 0,
                     "{s?b, s?b, s?I, "      // Common
                     "s?{s?s, s?s, s?s}}",   // SRT
@@ -1752,7 +1757,7 @@ hb_image_t* hb_json_to_image(char *json_image)
         for (ii = 0; ii < count; ii++)
         {
             plane_dict = hb_value_array_get(planes, ii);
-            char *data = NULL;
+            const char *data = NULL;
             int size;
             json_result = json_unpack_ex(plane_dict, &error, 0,
                                          "{s:i, s:s}",