[vlc-devel] [PATCH] input: decoder: fix NULL deref on early cancellation
Rémi Denis-Courmont
remi at remlab.net
Tue Mar 10 08:48:03 CET 2020
Le tiistaina 10. maaliskuuta 2020, 9.44.16 EET Thomas Guillem a écrit :
> On Tue, Mar 10, 2020, at 08:01, Steve Lhomme wrote:
> > The patch won't hurt but I also wonder how it's possible to end up in
>
> I don't like this reasoning, the variables state of input/decoder.c need to
> be clearly defined.
Me neither. This should be an assertion IMO.
> > this situation.
>
> Easy, Kill the decoder with an asynchronous decoder.
> DeleteDecoder() will first destroy the out_pool, then the module will be
> unloaded. So, nothing prevent the module to request a picture from an
> asynchronous thread between the out_pool destroy and the module unloading.
>
> Since ModuleThread_NewVideoBuffer() is called without a lock, this patch is
> wrong. The proposed solution is to first unload the module, then destroy
> the out_pool from DeleteDecoder().
> > The decoder thread is not canceled as far as I can see in decoder.c. So
> > that means the ModuleThread in this case is an internal thread of the
> > decoder (likely lavc). If it's canceled it should prevent other threads
> > trying to continue using the decoder after that. In this case the
> > "decoder" object is a resource that should be protected from multiple
> > thread accesses at the same time.
> >
> > So maybe this fix (if it actually happened) is hiding a different problem.
> >
> > On 2020-03-10 7:49, Thomas Guillem wrote:
> > > On Mon, Mar 9, 2020, at 22:50, Francois Cartegnie wrote:
> > >> ---
> > >>
> > >> src/input/decoder.c | 3 ++-
> > >> 1 file changed, 2 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/src/input/decoder.c b/src/input/decoder.c
> > >> index d868c21f23..998a2816bb 100644
> > >> --- a/src/input/decoder.c
> > >> +++ b/src/input/decoder.c
> > >> @@ -650,7 +650,8 @@ static picture_t *ModuleThread_NewVideoBuffer(
> > >> decoder_t *p_dec )
> > >>
> > >> {
> > >>
> > >> struct decoder_owner *p_owner = dec_get_owner( p_dec );
> > >> assert( p_owner->p_vout );
> > >>
> > >> -
> > >> + if( p_owner->out_pool == NULL )
> > >> + return NULL;
> > >
> > > The big question is : why is the out_pool destroyed before the decoder
> > > module in DeleteDecoder ?>
> > It makes sense to remove the pictures allocated by the decoder before
> > the decoder module is gone and possibly DLLs not accessible anymore to
> > do it (DVXA.DLL for example).
> >
> > In practice this pool is a shadow of the actual surfaces allocated by
> > the decoder in GPU decoding. It may not hold any "context" at this
> > point. It depends if some pictures are in-flight (sent by the decoder to
> > be used) or not. In CPU decoding it's not an issue. This pool could also
> > go away if each decoder managed its pool but that is not the case yet.
> >
> > > So that every future decoder_NewPicture fails ? In that case, this patch
> > > is OK for me.
> > >
> > > Steve ?
> > >
> > >> picture_t *pic = picture_pool_Wait( p_owner->out_pool );
> > >> if (pic)
> > >>
> > >> picture_Reset( pic );
> > >>
> > >> _______________________________________________
> > >> vlc-devel mailing list
> > >> To unsubscribe or modify your subscription options:
> > >> https://mailman.videolan.org/listinfo/vlc-devel
> > >
> > > _______________________________________________
> > > vlc-devel mailing list
> > > To unsubscribe or modify your subscription options:
> > > https://mailman.videolan.org/listinfo/vlc-devel
> >
> > _______________________________________________
> > vlc-devel mailing list
> > To unsubscribe or modify your subscription options:
> > https://mailman.videolan.org/listinfo/vlc-devel
>
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel
--
Rémi Denis-Courmont
http://www.remlab.net/
More information about the vlc-devel
mailing list