[vlc-devel] [PATCH] input: missing lock on title update

[Francois Cartegnie]

Don't know why it never happened before.

==9309==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000630cd0 at pc 0x7efbfe9e291e bp 0x7efbd91f1af0 sp 0x7efbd91f1ae0
READ of size 8 at 0x603000630cd0 thread T4
    #0 0x7efbfe9e291d in vlc_input_title_Duplicate ../../vlc/include/vlc_input.h:137
    #1 0x7efbfe9e291d in input_vaControl ../../vlc/src/input/control.c:357
    #2 0x7efbfe9e389c in input_Control ../../vlc/src/input/control.c:59
    #3 0x7efbdc9816cb in InputManager::UpdateNavigation() ../../vlc/modules/gui/qt/input_manager.cpp:453
    #4 0x7efbdc9855bf in InputManager::customEvent(QEvent*) ../../vlc/modules/gui/qt/input_manager.cpp:262
    #5 0x7efbdb923c14 in QObject::event(QEvent*) (/lib64/libQt5Core.so.5+0x28fc14)
    #6 0x7efbdc263ad5 in QApplicationPrivate::notify_helper(QObject*, QEvent*) (/lib64/libQt5Widgets.so.5+0x16fad5)
    #7 0x7efbdc26d14f in QApplication::notify(QObject*, QEvent*) (/lib64/libQt5Widgets.so.5+0x17914f)
    #8 0x7efbdb8f8de7 in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/lib64/libQt5Core.so.5+0x264de7)
    #9 0x7efbdb8fbd8a in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) (/lib64/libQt5Core.so.5+0x267d8a)
    #10 0x7efbdb94df26  (/lib64/libQt5Core.so.5+0x2b9f26)
    #11 0x7efbdaeacecc in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x4fecc)
    #12 0x7efbdaead25f  (/lib64/libglib-2.0.so.0+0x5025f)
    #13 0x7efbdaead302 in g_main_context_iteration (/lib64/libglib-2.0.so.0+0x50302)
    #14 0x7efbdb94dcb4 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/lib64/libQt5Core.so.5+0x2b9cb4)
    #15 0x7efbdb8f7cea in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/lib64/libQt5Core.so.5+0x263cea)
    #16 0x7efbdb8ffa15 in QCoreApplication::exec() (/lib64/libQt5Core.so.5+0x26ba15)
    #17 0x7efbdc921bee in ThreadPlatform ../../vlc/modules/gui/qt/qt.cpp:643
    #18 0x7efbdc923589 in ThreadXCB ../../vlc/modules/gui/qt/qt.cpp:368
    #19 0x7efbfe7394bf in start_thread (/lib64/libpthread.so.0+0x84bf)
    #20 0x7efbfe65f162 in clone (/lib64/libc.so.6+0xfc162)

0x603000630cd0 is located 0 bytes inside of 32-byte region [0x603000630cd0,0x603000630cf0)
freed by thread T14 here:
    #0 0x7efbfed6485f in __interceptor_free (/lib64/libasan.so.5+0x10d85f)
    #1 0x7efbfea275e7 in vlc_input_title_Delete ../../vlc/include/vlc_input.h:129
    #2 0x7efbfea275e7 in vlc_input_title_Delete ../../vlc/include/vlc_input.h:119
    #3 0x7efbfea275e7 in UpdateTitleListfromDemux ../../vlc/src/input/input.c:2509
    #4 0x7efbfea275e7 in MainLoopDemux ../../vlc/src/input/input.c:584
    #5 0x7efbfea275e7 in MainLoop ../../vlc/src/input/input.c:723
    #6 0x7efbfea2d0be in Run ../../vlc/src/input/input.c:505

---
 src/input/input.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/input/input.c b/src/input/input.c
index 75de527279..c97e78adea 100644
--- a/src/input/input.c
+++ b/src/input/input.c
@@ -2502,6 +2502,7 @@ static void UpdateTitleListfromDemux( input_thread_t *p_input )
     input_thread_private_t *priv = input_priv(p_input);
     input_source_t *in = priv->master;
 
+    vlc_mutex_lock( &priv->p_item->lock );
     /* Delete the preexisting titles */
     if( in->i_title > 0 )
     {
@@ -2521,6 +2522,8 @@ static void UpdateTitleListfromDemux( input_thread_t *p_input )
     else
         in->b_title_demux = true;
 
+    vlc_mutex_unlock( &priv->p_item->lock );
+
     InitTitle( p_input );
 }
 
-- 
2.21.0