[vlc-commits] interop_android: fix potential use-after-free of SurfaceTexture

[Alexandre Janniaux]

vlc | branch: master | Alexandre Janniaux <ajanni at videolabs.io> | Fri Jan 22 12:29:50 2021 +0100| [121bfaad812a3e66c574f255ad854f4a3f41c370] | committer: Alexandre Janniaux

interop_android: fix potential use-after-free of SurfaceTexture

picture_Release() might release the last reference to the video_context
holding the previous_texture SurfaceTexture, which still needs to be
detached and potentially have its bufer released.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=121bfaad812a3e66c574f255ad854f4a3f41c370
---

 modules/video_output/opengl/interop_android.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/modules/video_output/opengl/interop_android.c b/modules/video_output/opengl/interop_android.c
index 4f3f6dfce8..f94a7c26e9 100644
--- a/modules/video_output/opengl/interop_android.c
+++ b/modules/video_output/opengl/interop_android.c
@@ -62,18 +62,17 @@ tc_anop_update(struct vlc_gl_interop *interop, GLuint *textures,
     assert(pic->context);
     assert(textures[0] != 0);
 
-    if (priv->current_picture)
-        picture_Release(priv->current_picture);
+    picture_t *previous_picture = priv->current_picture;
     priv->current_picture = picture_Hold(pic);
 
     struct vlc_video_context *vctx = pic->context->vctx;
     android_video_context_t *avctx =
         vlc_video_context_GetPrivate(vctx, VLC_VIDEO_CONTEXT_AWINDOW);
     if (avctx == NULL)
-        return VLC_EGENERIC;
+        goto error;
 
     if (plane_offset != NULL)
-        return VLC_EGENERIC;
+        goto error;
 
     struct vlc_asurfacetexture *texture =
         avctx->get_texture(pic->context);
@@ -91,14 +90,14 @@ tc_anop_update(struct vlc_gl_interop *interop, GLuint *textures,
         }
 
         if (SurfaceTexture_attachToGLContext(texture, textures[0]) != 0)
-            return VLC_EGENERIC;
+            goto error;
 
         priv->stex_attached = true;
         priv->previous_texture = texture;
     }
 
     if (!avctx->render(pic->context))
-        return VLC_SUCCESS; /* already rendered */
+        goto success; /* already rendered */
 
     /* Release previous image */
     if (previous_texture && previous_texture != texture)
@@ -108,13 +107,21 @@ tc_anop_update(struct vlc_gl_interop *interop, GLuint *textures,
         != VLC_SUCCESS)
     {
         priv->transform_mtx = NULL;
-        return VLC_EGENERIC;
+        goto error;
     }
 
     interop->vt->ActiveTexture(GL_TEXTURE0);
     interop->vt->BindTexture(interop->tex_target, textures[0]);
 
+success:
+    if (previous_picture)
+        picture_Release(previous_picture);
     return VLC_SUCCESS;
+
+error:
+    if (previous_picture)
+        picture_Release(previous_picture);
+    return VLC_EGENERIC;
 }
 
 static const float *