diff options
| author | der richter <der.richter@gmx.de> | 2024-04-10 19:41:38 +0200 |
|---|---|---|
| committer | der richter <der.richter@gmx.de> | 2024-04-12 23:23:16 +0200 |
| commit | e42a8d537f575cf61747e9f67c5a9e34f511cb2b (patch) | |
| tree | 377ba33b96762a11e19750c0f296eba85acbdf4d | |
| parent | 096d35dac7bd8a087d5268e20ff9c392c1a93081 (diff) | |
| download | mpv-e42a8d537f575cf61747e9f67c5a9e34f511cb2b.tar.bz2 mpv-e42a8d537f575cf61747e9f67c5a9e34f511cb2b.tar.xz | |
mac/log: fix use after free when freeing mpv handle
the mp_log is freed when the corresponding mpv_handle (ta_parent) is
freed in the EventHelper, though it could still be used from different
threads. instead don't use a ta_parent and manually free on manual
dereferencing. on app shutdown (memory cleanup) this is not called but
instead is freed by the usual cleanup and freeing.
the LogHelper is only able to be manually dereferenced in the AppHub,
so no race conditions are possible in all other cases (vo).in the AppHub
it's impossible to hit a race condition atm, because of how the init
process works and how/where the log is used. only manually forcing
logging in the exit process itself could theoretically trigger a use
after free.
Fixes #13823
| -rw-r--r-- | osdep/mac/app_hub.swift | 2 | ||||
| -rw-r--r-- | osdep/mac/log_helper.swift | 8 |
2 files changed, 8 insertions, 2 deletions
diff --git a/osdep/mac/app_hub.swift b/osdep/mac/app_hub.swift index e86e707dd3..997cc33847 100644 --- a/osdep/mac/app_hub.swift +++ b/osdep/mac/app_hub.swift @@ -55,7 +55,7 @@ class AppHub: NSObject { event = EventHelper(self, mpv) if let mpv = event?.mpv { self.mpv = mpv - log.log = mp_log_new(UnsafeMutablePointer(mpv), mp_client_get_log(mpv), "app") + log.log = mp_log_new(nil, mp_client_get_log(mpv), "app") option = OptionHelper(UnsafeMutablePointer(mpv), mp_client_get_global(mpv)) input.option = option } diff --git a/osdep/mac/log_helper.swift b/osdep/mac/log_helper.swift index 0f65975da1..3d349a487c 100644 --- a/osdep/mac/log_helper.swift +++ b/osdep/mac/log_helper.swift @@ -50,7 +50,7 @@ class LogHelper { } func send(message: String, type: Int) { - guard let log = log, UnsafeRawPointer(log).load(as: UInt8.self) != 0 else { + guard let log = log else { logger.log(level: loggerMapping[type] ?? .default, "\(message, privacy: .public)") return } @@ -58,4 +58,10 @@ class LogHelper { let args: [CVarArg] = [(message as NSString).utf8String ?? "NO MESSAGE"] mp_msg_va(log, Int32(type), "%s\n", getVaList(args)) } + + deinit { + // only a manual dereferencing will trigger this, cleanup properly in that case + ta_free(UnsafeMutablePointer(log)) + log = nil + } } |