From 35da5a4d8e9f8616eaa55af3219cbb6139d6d68c Mon Sep 17 00:00:00 2001 From: wnoun Date: Sun, 26 May 2019 16:58:25 +0800 Subject: render api: fix use-after-free render api needs to wait for vo to be destroyed before frees the context. The purpose of kill_cb is to wake up render api after vo is destroyed, but uninit did that before kill_cb, so kill_cb tries using the freed memory. Remove kill_cb to fix the issue as uninit is able to do the work. --- player/client.c | 22 +++------------------- player/client.h | 3 +-- 2 files changed, 4 insertions(+), 21 deletions(-) (limited to 'player') diff --git a/player/client.c b/player/client.c index 4199dcc638..7b4d9496d8 100644 --- a/player/client.c +++ b/player/client.c @@ -1817,16 +1817,9 @@ int64_t mpv_get_time_us(mpv_handle *ctx) #include "video/out/libmpv.h" -struct kill_ctx { - struct MPContext *mpctx; - void (*fin)(void *ctx); - void *fin_ctx; -}; - static void do_kill(void *ptr) { - struct kill_ctx *k = ptr; - struct MPContext *mpctx = k->mpctx; + struct MPContext *mpctx = ptr; struct track *track = mpctx->vo_chain ? mpctx->vo_chain->track : NULL; uninit_video_out(mpctx); @@ -1834,22 +1827,13 @@ static void do_kill(void *ptr) mpctx->error_playing = MPV_ERROR_VO_INIT_FAILED; error_on_track(mpctx, track); } - - k->fin(k->fin_ctx); } // Used by vo_libmpv to (a)synchronously uninitialize video. -void kill_video_async(struct mp_client_api *client_api, void (*fin)(void *ctx), - void *fin_ctx) +void kill_video_async(struct mp_client_api *client_api) { struct MPContext *mpctx = client_api->mpctx; - struct kill_ctx *k = talloc_ptrtype(NULL, k); - *k = (struct kill_ctx){ - .mpctx = mpctx, - .fin = fin, - .fin_ctx = fin_ctx, - }; - mp_dispatch_enqueue_autofree(mpctx->dispatch, do_kill, k); + mp_dispatch_enqueue(mpctx->dispatch, do_kill, mpctx); } // Used by vo_libmpv to set the current render context. diff --git a/player/client.h b/player/client.h index 7426e94372..e9e8665e70 100644 --- a/player/client.h +++ b/player/client.h @@ -49,8 +49,7 @@ bool mp_set_main_render_context(struct mp_client_api *client_api, struct mpv_render_context *ctx, bool active); struct mpv_render_context * mp_client_api_acquire_render_context(struct mp_client_api *ca); -void kill_video_async(struct mp_client_api *client_api, void (*fin)(void *ctx), - void *fin_ctx); +void kill_video_async(struct mp_client_api *client_api); bool mp_streamcb_lookup(struct mpv_global *g, const char *protocol, void **out_user_data, mpv_stream_cb_open_ro_fn *out_fn); -- cgit v1.2.3