From 5129d777a65e64032dbf36edb02bd7946b1ba83f Mon Sep 17 00:00:00 2001
From: Anton Kindestam <antonki@kth.se>
Date: Mon, 6 Nov 2017 00:30:48 +0100
Subject: video: fix double free in drm_atomic_create_context

Passing in an invalid DRM overlay id with the --drm-overlay option would
cause drmplane to be freed twice: once in the for-loop and once at the
error-handler label fail.

Solve by setting drmpanel to NULL after freeing it.

Also the 'return false' statement after the error handler label should
probably be 'return NULL', given that the return type of
drm_atomic_create_context returns a pointer.
---
 video/out/drm_atomic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/video/out/drm_atomic.c b/video/out/drm_atomic.c
index a908826677..7a55483675 100644
--- a/video/out/drm_atomic.c
+++ b/video/out/drm_atomic.c
@@ -203,6 +203,7 @@ struct drm_atomic_context *drm_atomic_create_context(struct mp_log *log, int fd,
             }
         }
         drmModeFreePlane(drmplane);
+        drmplane = NULL;
     }
 
     if (!ctx->primary_plane) {
@@ -232,7 +233,7 @@ fail:
         drmModeFreePlane(drmplane);
     if (plane)
         drm_object_free(plane);
-    return false;
+    return NULL;
 }
 
 void drm_atomic_destroy_context(struct drm_atomic_context *ctx)
-- 
cgit v1.2.3