[vlc-commits] doc: QtGl: fix heap use-after-free

[Alexandre Janniaux]

vlc | branch: master | Alexandre Janniaux <ajanni at videolabs.io> | Fri Nov 20 15:45:50 2020 +0100| [0135f73c1b8e8991eca62ed756d47774363c8df4] | committer: Alexandre Janniaux

doc: QtGl: fix heap use-after-free

>From asan report:

==774849==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000051a8 at pc 0x7f06d1d61af3 bp 0x7ffe464e1af0 sp 0x7ffe464e1ae0
WRITE of size 8 at 0x6080000051a8 thread T0
    #0 0x7f06d1d61af2 in vlc_atomic_rc_dec ../../include/vlc_atomic.h:58
    #1 0x7f06d1d61af2 in libvlc_release ../../lib/core.c:82
    #2 0x55bc01a4167c in QtVLCWidget::cleanup() ../qtvlcwidget.cpp:253
    #3 0x55bc01a439c1 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (QtVLCWidget::*)()>::call(void (QtVLCWidget::*)(), QtVLCWidget*, void**) /usr/include/qt/QtCore/qobjectdefs_impl.h:152
    #4 0x55bc01a439c1 in void QtPrivate::FunctionPointer<void (QtVLCWidget::*)()>::call<QtPrivate::List<>, void>(void (QtVLCWidget::*)(), QtVLCWidget*, void**) /usr/include/qt/QtCore/qobjectdefs_impl.h:185
    #5 0x55bc01a439c1 in QtPrivate::QSlotObject<void (QtVLCWidget::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/qt/QtCore/qobjectdefs_impl.h:418
    #6 0x7f06d0d86035  (/usr/lib/libQt5Core.so.5+0x2eb035)
    #7 0x7f06d116db79 in QOpenGLContext::destroy() (/usr/lib/libQt5Gui.so.5+0x180b79)
    #8 0x7f06d116de77 in QOpenGLContext::~QOpenGLContext() (/usr/lib/libQt5Gui.so.5+0x180e77)
    #9 0x7f06d116de99 in QOpenGLContext::~QOpenGLContext() (/usr/lib/libQt5Gui.so.5+0x180e99)
    #10 0x7f06d1874c0b  (/usr/lib/libQt5Widgets.so.5+0x1bac0b)
    #11 0x7f06d1874c94 in QOpenGLWidget::~QOpenGLWidget() (/usr/lib/libQt5Widgets.so.5+0x1bac94)
    #12 0x55bc01a430e1 in QtVLCWidget::~QtVLCWidget() ../qtvlcwidget.cpp:237
    #13 0x7f06d0d7936d in QObjectPrivate::deleteChildren() (/usr/lib/libQt5Core.so.5+0x2de36d)
    #14 0x7f06d185104d in QWidget::~QWidget() (/usr/lib/libQt5Widgets.so.5+0x19704d)
    #15 0x55bc01a40e25 in main ../main.cpp:27
    #16 0x7f06d0513151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
    #17 0x55bc01a40fed in _start (/home/alexandre/workspace/videolabs/vlc/doc/libvlc/QtGL/build/qtglvlc+0x5fed)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=0135f73c1b8e8991eca62ed756d47774363c8df4
---

 doc/libvlc/QtGL/qtvlcwidget.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/libvlc/QtGL/qtvlcwidget.cpp b/doc/libvlc/QtGL/qtvlcwidget.cpp
index 305d989efc..d1ff858af8 100644
--- a/doc/libvlc/QtGL/qtvlcwidget.cpp
+++ b/doc/libvlc/QtGL/qtvlcwidget.cpp
@@ -249,10 +249,14 @@ QSize QtVLCWidget::sizeHint() const
 void QtVLCWidget::cleanup()
 {
     stop();
+
     if (m_vlc)
         libvlc_release(m_vlc);
+    m_vlc = nullptr;
+
     if (m_program == nullptr)
         return;
+
     makeCurrent();
     vertexBuffer.destroy();
     vertexIndexBuffer.destroy();