[vlc-devel] [PATCH] background_worker: Fix potential use after free
Hugo Beauzée-Luyssen
hugo at beauzee.fr
Thu Feb 6 16:50:35 CET 2020
Since we free the task and only then lock the worker mutex to reset the
task pointer, there's a window during which another thread could probe
the dangling task pointer.
Such a case can be seen here: https://code.videolan.org/videolan/medialibrary/-/jobs/351960
---
src/misc/background_worker.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/misc/background_worker.c b/src/misc/background_worker.c
index acb93cd0df..04014354e9 100644
--- a/src/misc/background_worker.c
+++ b/src/misc/background_worker.c
@@ -178,13 +178,14 @@ static void background_worker_Destroy(struct background_worker *worker)
static void TerminateTask(struct background_thread *thread, struct task *task)
{
struct background_worker *worker = thread->owner;
- task_Destroy(worker, task);
vlc_mutex_lock(&worker->lock);
thread->task = NULL;
worker->uncompleted--;
assert(worker->uncompleted >= 0);
vlc_mutex_unlock(&worker->lock);
+
+ task_Destroy(worker, task);
}
static void RemoveThread(struct background_thread *thread)
--
2.20.1
More information about the vlc-devel
mailing list