[vlc-commits] vdpau/display: fix use-after-free race (refs #21580)

Rémi Denis-Courmont git at videolan.org
Tue Dec 25 21:09:12 CET 2018 

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Tue Dec 25 21:21:45 2018 +0200| [cd916afaf5312dbcb3daae20783ead8008d01a4c] | committer: Rémi Denis-Courmont

vdpau/display: fix use-after-free race (refs #21580)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=cd916afaf5312dbcb3daae20783ead8008d01a4c
---

 modules/hw/vdpau/display.c | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/modules/hw/vdpau/display.c b/modules/hw/vdpau/display.c
index cee2cbd8cb..26a3bd5257 100644
--- a/modules/hw/vdpau/display.c
+++ b/modules/hw/vdpau/display.c
@@ -70,25 +70,13 @@ struct vout_display_sys_t
     unsigned height;
 };
 
-static void PoolFree(vout_display_t *vd, picture_pool_t *pool)
-{
-    vout_display_sys_t *sys = vd->sys;
-
-    if (sys->current != NULL)
-        picture_Release(sys->current);
-    picture_pool_Release(pool);
-}
-
 static picture_pool_t *Pool(vout_display_t *vd, unsigned requested_count)
 {
     vout_display_sys_t *sys = vd->sys;
 
     if (sys->pool == NULL)
-    {
-        sys->current = NULL;
         sys->pool = vlc_vdp_output_pool_create(sys->vdp, sys->rgb_fmt,
                                                &vd->fmt, requested_count);
-    }
     return sys->pool;
 }
 
@@ -264,7 +252,7 @@ static int Control(vout_display_t *vd, int query, va_list ap)
         msg_Dbg(vd, "resetting pictures");
         if (sys->pool != NULL)
         {
-            PoolFree(vd, sys->pool);
+            picture_pool_Release(sys->pool);
             sys->pool = NULL;
         }
 
@@ -569,6 +557,7 @@ static int Open(vout_display_t *vd, const vout_display_cfg_t *cfg,
     sys->pool = NULL;
 
     /* */
+    sys->current = NULL;
     vd->sys = sys;
     vd->info.has_pictures_invalid = true;
     vd->info.subpicture_chromas = spu_chromas;
@@ -596,8 +585,10 @@ static void Close(vout_display_t *vd)
     vdp_presentation_queue_destroy(sys->vdp, sys->queue);
     vdp_presentation_queue_target_destroy(sys->vdp, sys->target);
 
+    if (sys->current != NULL)
+        picture_Release(sys->current);
     if (sys->pool != NULL)
-        PoolFree(vd, sys->pool);
+        picture_pool_Release(sys->pool);
 
     vdp_release_x11(sys->vdp);
     xcb_disconnect(sys->conn);

More information about the vlc-commits mailing list