mirrors/gstreamer
mirrors/gstreamer
1
1
Fork 0
mirror of https://gitlab.freedesktop.org/gstreamer/gstreamer.git synced 2024-10-02 08:42:32 +00:00
Code Issues 1 Projects Releases Wiki Activity

msdk: avoid reading data from freed memory

Browse source 
Both g_list_delete_link and g_list_remove remove an element and free it,
so l->next is invalid (catched by valgrind) after calling g_list_delete_link
or g_list_remove
This commit is contained in:
Haihao Xiang 2019-08-21 16:46:36 +08:00 committed by Víctor Manuel Jáquez Leal
parent fa18824d32
commit 4841c2759d
3 changed files with 11 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
sys/msdk/gstmsdkcontext.c
View file

@ -468,8 +468,9 @@ check_surfaces_available (GstMsdkContext * context, GstMsdkAllocResponse * resp)
gboolean ret = FALSE;
g_mutex_lock (&priv->mutex);
for (l = resp->surfaces_locked; l; l = l->next) {
for (l = resp->surfaces_locked; l;) {
surface = l->data;
l = l->next;
if (!surface->Data.Locked) {
resp->surfaces_locked = g_list_remove (resp->surfaces_locked, surface);
resp->surfaces_avail = g_list_prepend (resp->surfaces_avail, surface);
@ -503,9 +504,9 @@ gst_msdk_context_get_surface_available (GstMsdkContext * context,
retry:
g_mutex_lock (&priv->mutex);
for (l = msdk_resp->surfaces_avail; l; l = l->next) {
for (l = msdk_resp->surfaces_avail; l;) {
surface = l->data;
l = l->next;
if (!surface->Data.Locked) {
msdk_resp->surfaces_avail =
g_list_remove (msdk_resp->surfaces_avail, surface);

3
sys/msdk/gstmsdkdec.c
View file

@ -769,8 +769,9 @@ release_msdk_surfaces (GstMsdkDec * thiz)
GList *l;
MsdkSurface *surface;
for (l = thiz->decoded_msdk_surfaces; l; l = l->next) {
for (l = thiz->decoded_msdk_surfaces; l;) {
surface = l->data;
l = l->next;
free_surface (thiz, surface);
}
}

7
sys/msdk/gstmsdkenc.c
View file

@ -647,15 +647,18 @@ gst_msdkenc_dequeue_frame (GstMsdkEnc * thiz, GstVideoCodecFrame * frame)
{
GList *l;
for (l = thiz->pending_frames; l; l = l->next) {
for (l = thiz->pending_frames; l;) {
FrameData *fdata = l->data;
GList *l1 = l;
l = l->next;
if (fdata->frame != frame)
continue;
gst_msdkenc_free_frame_data (thiz, fdata);
thiz->pending_frames = g_list_delete_link (thiz->pending_frames, l);
thiz->pending_frames = g_list_delete_link (thiz->pending_frames, l1);
return;
}
}