summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2017-08-21 17:34:27 +0200
committerwm4 <wm4@nowhere>2017-08-21 17:47:00 +0200
commitd431111b0647278d2bc234e9e6551c0b7e6c2b6f (patch)
treeef0f99cfd4df7b87af48599a08e1673e7182766a
parentb21e0746f6ac0cd2e6faf7590e3aad53b0437d0f (diff)
downloadmpv-d431111b0647278d2bc234e9e6551c0b7e6c2b6f.tar.bz2
mpv-d431111b0647278d2bc234e9e6551c0b7e6c2b6f.tar.xz
win32: fix massive memory corruption
The struct m_thread_info pointer is part of an array, that will be reallocated if another thread is created while the run_thread is just being called. In previous versions of this code, the pointer was stable (as long as the thread existed), so this was overlooked. Fixes #4770. I'm not sure why this triggers it so reliably, while it remained undetected otherwise.
-rw-r--r--osdep/win32/pthread.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/osdep/win32/pthread.c b/osdep/win32/pthread.c
index dfc70288ac..d4a5ddc22a 100644
--- a/osdep/win32/pthread.c
+++ b/osdep/win32/pthread.c
@@ -205,7 +205,11 @@ int pthread_detach(pthread_t thread)
static DWORD WINAPI run_thread(LPVOID lpParameter)
{
- struct m_thread_info *info = lpParameter;
+ pthread_mutex_lock(&pthread_table_lock);
+ struct m_thread_info *info = find_thread_info(pthread_self());
+ assert(info);
+ pthread_mutex_unlock(&pthread_table_lock);
+
pthread_exit(info->user_fn(info->user_arg));
abort(); // not reached
}
@@ -228,7 +232,7 @@ int pthread_create(pthread_t *thread, const pthread_attr_t *attr,
.user_fn = start_routine,
.user_arg = arg,
};
- info->handle = CreateThread(NULL, 0, run_thread, info, CREATE_SUSPENDED,
+ info->handle = CreateThread(NULL, 0, run_thread, NULL, CREATE_SUSPENDED,
&info->id);
if (!info->handle) {
remove_thread_info(info);