[vlc-devel] [PATCH] background_worker: Fix potential use after free
Romain Vimont
rom1v at videolabs.io
Thu Feb 6 16:53:30 CET 2020
LGTM
On 2/6/20 4:50 PM, Hugo Beauzée-Luyssen wrote:
> Since we free the task and only then lock the worker mutex to reset the
> task pointer, there's a window during which another thread could probe
> the dangling task pointer.
>
> Such a case can be seen here: https://code.videolan.org/videolan/medialibrary/-/jobs/351960
> ---
> src/misc/background_worker.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/misc/background_worker.c b/src/misc/background_worker.c
> index acb93cd0df..04014354e9 100644
> --- a/src/misc/background_worker.c
> +++ b/src/misc/background_worker.c
> @@ -178,13 +178,14 @@ static void background_worker_Destroy(struct background_worker *worker)
> static void TerminateTask(struct background_thread *thread, struct task *task)
> {
> struct background_worker *worker = thread->owner;
> - task_Destroy(worker, task);
>
> vlc_mutex_lock(&worker->lock);
> thread->task = NULL;
> worker->uncompleted--;
> assert(worker->uncompleted >= 0);
> vlc_mutex_unlock(&worker->lock);
> +
> + task_Destroy(worker, task);
> }
>
> static void RemoveThread(struct background_thread *thread)
>
More information about the vlc-devel
mailing list