diff options
| author | wnoun <wnoun@outlook.com> | 2019-05-26 16:58:25 +0800 |
|---|---|---|
| committer | wm4 <wm4@nowhere> | 2019-09-20 13:54:17 +0200 |
| commit | 35da5a4d8e9f8616eaa55af3219cbb6139d6d68c (patch) | |
| tree | 7f8ba179101bedea7d545448fa3442bfa26871e4 /player | |
| parent | db09d77e46128a68f06dc89d34bdc6045ace63f2 (diff) | |
| download | mpv-35da5a4d8e9f8616eaa55af3219cbb6139d6d68c.tar.bz2 mpv-35da5a4d8e9f8616eaa55af3219cbb6139d6d68c.tar.xz | |
render api: fix use-after-free
render api needs to wait for vo to be destroyed before frees the context.
The purpose of kill_cb is to wake up render api after vo is destroyed,
but uninit did that before kill_cb, so kill_cb tries using the freed
memory. Remove kill_cb to fix the issue as uninit is able to do the
work.
Diffstat (limited to 'player')
| -rw-r--r-- | player/client.c | 22 | ||||
| -rw-r--r-- | player/client.h | 3 |
2 files changed, 4 insertions, 21 deletions
diff --git a/player/client.c b/player/client.c index 4199dcc638..7b4d9496d8 100644 --- a/player/client.c +++ b/player/client.c @@ -1817,16 +1817,9 @@ int64_t mpv_get_time_us(mpv_handle *ctx) #include "video/out/libmpv.h" -struct kill_ctx { - struct MPContext *mpctx; - void (*fin)(void *ctx); - void *fin_ctx; -}; - static void do_kill(void *ptr) { - struct kill_ctx *k = ptr; - struct MPContext *mpctx = k->mpctx; + struct MPContext *mpctx = ptr; struct track *track = mpctx->vo_chain ? mpctx->vo_chain->track : NULL; uninit_video_out(mpctx); @@ -1834,22 +1827,13 @@ static void do_kill(void *ptr) mpctx->error_playing = MPV_ERROR_VO_INIT_FAILED; error_on_track(mpctx, track); } - - k->fin(k->fin_ctx); } // Used by vo_libmpv to (a)synchronously uninitialize video. -void kill_video_async(struct mp_client_api *client_api, void (*fin)(void *ctx), - void *fin_ctx) +void kill_video_async(struct mp_client_api *client_api) { struct MPContext *mpctx = client_api->mpctx; - struct kill_ctx *k = talloc_ptrtype(NULL, k); - *k = (struct kill_ctx){ - .mpctx = mpctx, - .fin = fin, - .fin_ctx = fin_ctx, - }; - mp_dispatch_enqueue_autofree(mpctx->dispatch, do_kill, k); + mp_dispatch_enqueue(mpctx->dispatch, do_kill, mpctx); } // Used by vo_libmpv to set the current render context. diff --git a/player/client.h b/player/client.h index 7426e94372..e9e8665e70 100644 --- a/player/client.h +++ b/player/client.h @@ -49,8 +49,7 @@ bool mp_set_main_render_context(struct mp_client_api *client_api, struct mpv_render_context *ctx, bool active); struct mpv_render_context * mp_client_api_acquire_render_context(struct mp_client_api *ca); -void kill_video_async(struct mp_client_api *client_api, void (*fin)(void *ctx), - void *fin_ctx); +void kill_video_async(struct mp_client_api *client_api); bool mp_streamcb_lookup(struct mpv_global *g, const char *protocol, void **out_user_data, mpv_stream_cb_open_ro_fn *out_fn); |