summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnton Kindestam <antonki@kth.se>2017-11-06 00:30:48 +0100
committerJan Ekström <jeebjp@gmail.com>2017-12-03 17:30:17 +0200
commit5129d777a65e64032dbf36edb02bd7946b1ba83f (patch)
treef5fa5fe29c1bba9e6f290a355541b36bf95685ce
parent9bbf8a6dfa83dc3f45ff60e5390057dcdc684be8 (diff)
downloadmpv-5129d777a65e64032dbf36edb02bd7946b1ba83f.tar.bz2
mpv-5129d777a65e64032dbf36edb02bd7946b1ba83f.tar.xz
video: fix double free in drm_atomic_create_context
Passing in an invalid DRM overlay id with the --drm-overlay option would cause drmplane to be freed twice: once in the for-loop and once at the error-handler label fail. Solve by setting drmpanel to NULL after freeing it. Also the 'return false' statement after the error handler label should probably be 'return NULL', given that the return type of drm_atomic_create_context returns a pointer.
-rw-r--r--video/out/drm_atomic.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/video/out/drm_atomic.c b/video/out/drm_atomic.c
index a908826677..7a55483675 100644
--- a/video/out/drm_atomic.c
+++ b/video/out/drm_atomic.c
@@ -203,6 +203,7 @@ struct drm_atomic_context *drm_atomic_create_context(struct mp_log *log, int fd,
}
}
drmModeFreePlane(drmplane);
+ drmplane = NULL;
}
if (!ctx->primary_plane) {
@@ -232,7 +233,7 @@ fail:
drmModeFreePlane(drmplane);
if (plane)
drm_object_free(plane);
- return false;
+ return NULL;
}
void drm_atomic_destroy_context(struct drm_atomic_context *ctx)