diff options
author | wnoun <wnoun@outlook.com> | 2019-05-26 16:58:25 +0800 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2019-09-20 13:54:17 +0200 |
commit | 35da5a4d8e9f8616eaa55af3219cbb6139d6d68c (patch) | |
tree | 7f8ba179101bedea7d545448fa3442bfa26871e4 /player/client.c | |
parent | db09d77e46128a68f06dc89d34bdc6045ace63f2 (diff) | |
download | mpv-35da5a4d8e9f8616eaa55af3219cbb6139d6d68c.tar.bz2 mpv-35da5a4d8e9f8616eaa55af3219cbb6139d6d68c.tar.xz |
render api: fix use-after-free
render api needs to wait for vo to be destroyed before frees the context.
The purpose of kill_cb is to wake up render api after vo is destroyed,
but uninit did that before kill_cb, so kill_cb tries using the freed
memory. Remove kill_cb to fix the issue as uninit is able to do the
work.
Diffstat (limited to 'player/client.c')
-rw-r--r-- | player/client.c | 22 |
1 files changed, 3 insertions, 19 deletions
diff --git a/player/client.c b/player/client.c index 4199dcc638..7b4d9496d8 100644 --- a/player/client.c +++ b/player/client.c @@ -1817,16 +1817,9 @@ int64_t mpv_get_time_us(mpv_handle *ctx) #include "video/out/libmpv.h" -struct kill_ctx { - struct MPContext *mpctx; - void (*fin)(void *ctx); - void *fin_ctx; -}; - static void do_kill(void *ptr) { - struct kill_ctx *k = ptr; - struct MPContext *mpctx = k->mpctx; + struct MPContext *mpctx = ptr; struct track *track = mpctx->vo_chain ? mpctx->vo_chain->track : NULL; uninit_video_out(mpctx); @@ -1834,22 +1827,13 @@ static void do_kill(void *ptr) mpctx->error_playing = MPV_ERROR_VO_INIT_FAILED; error_on_track(mpctx, track); } - - k->fin(k->fin_ctx); } // Used by vo_libmpv to (a)synchronously uninitialize video. -void kill_video_async(struct mp_client_api *client_api, void (*fin)(void *ctx), - void *fin_ctx) +void kill_video_async(struct mp_client_api *client_api) { struct MPContext *mpctx = client_api->mpctx; - struct kill_ctx *k = talloc_ptrtype(NULL, k); - *k = (struct kill_ctx){ - .mpctx = mpctx, - .fin = fin, - .fin_ctx = fin_ctx, - }; - mp_dispatch_enqueue_autofree(mpctx->dispatch, do_kill, k); + mp_dispatch_enqueue(mpctx->dispatch, do_kill, mpctx); } // Used by vo_libmpv to set the current render context. |