[vlc-commits] background_worker: Fix potential use after free

[Hugo Beauzée-Luyssen]

vlc | branch: master | Hugo Beauzée-Luyssen <hugo at beauzee.fr> | Thu Feb  6 16:48:36 2020 +0100| [99b00ffb1fe9a371f6df3478a5a2a03a2406e43e] | committer: Hugo Beauzée-Luyssen

background_worker: Fix potential use after free

Since we free the task and only then lock the worker mutex to reset the
task pointer, there's a window during which another thread could probe
the dangling task pointer.

Such a case can be seen here: https://code.videolan.org/videolan/medialibrary/-/jobs/351960

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=99b00ffb1fe9a371f6df3478a5a2a03a2406e43e
---

 src/misc/background_worker.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/misc/background_worker.c b/src/misc/background_worker.c
index acb93cd0df..04014354e9 100644
--- a/src/misc/background_worker.c
+++ b/src/misc/background_worker.c
@@ -178,13 +178,14 @@ static void background_worker_Destroy(struct background_worker *worker)
 static void TerminateTask(struct background_thread *thread, struct task *task)
 {
     struct background_worker *worker = thread->owner;
-    task_Destroy(worker, task);
 
     vlc_mutex_lock(&worker->lock);
     thread->task = NULL;
     worker->uncompleted--;
     assert(worker->uncompleted >= 0);
     vlc_mutex_unlock(&worker->lock);
+
+    task_Destroy(worker, task);
 }
 
 static void RemoveThread(struct background_thread *thread)