v4l2: Fix use after free of fmtdesc

The decoder needs to force another enumeration of the format. For
this it was clearing the v4l2object insternal list, leaving a fmtdesc
pointer pointing to freed memory. This patch clears the fmtdesc pointer
that has just been free. It also makes sure the probe function does not
use the cached formats list. The probe function will restore the current
fmtdesc pointer based on the currently configured pixelformat.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4317>
This commit is contained in:
Nicolas Dufresne 2023-04-12 17:18:13 -04:00 committed by GStreamer Marge Bot
parent 3a17200638
commit e890e6e8d8

View file

@ -591,7 +591,6 @@ gst_v4l2_video_dec_setup_capture (GstVideoDecoder * decoder)
info.fps_n = self->v4l2output->info.fps_n; info.fps_n = self->v4l2output->info.fps_n;
info.fps_d = self->v4l2output->info.fps_d; info.fps_d = self->v4l2output->info.fps_d;
gst_v4l2_object_clear_format_list (self->v4l2capture);
gst_caps_replace (&self->probed_srccaps, NULL); gst_caps_replace (&self->probed_srccaps, NULL);
self->probed_srccaps = gst_v4l2_object_probe_caps (self->v4l2capture, self->probed_srccaps = gst_v4l2_object_probe_caps (self->v4l2capture,
gst_v4l2_object_get_raw_caps ()); gst_v4l2_object_get_raw_caps ());
@ -647,6 +646,11 @@ gst_v4l2_video_dec_setup_capture (GstVideoDecoder * decoder)
use_acquired_caps: use_acquired_caps:
gst_caps_unref (caps); gst_caps_unref (caps);
/* catch possible bogus driver that don't enumerate the format it actually
* returned from G_FMT */
if (!self->v4l2capture->fmtdesc)
goto not_negotiated;
output_state = gst_video_decoder_set_output_state (decoder, output_state = gst_video_decoder_set_output_state (decoder,
info.finfo->format, info.width, info.height, self->input_state); info.finfo->format, info.width, info.height, self->input_state);