From 35da5a4d8e9f8616eaa55af3219cbb6139d6d68c Mon Sep 17 00:00:00 2001 From: wnoun Date: Sun, 26 May 2019 16:58:25 +0800 Subject: render api: fix use-after-free render api needs to wait for vo to be destroyed before frees the context. The purpose of kill_cb is to wake up render api after vo is destroyed, but uninit did that before kill_cb, so kill_cb tries using the freed memory. Remove kill_cb to fix the issue as uninit is able to do the work. --- video/out/vo_libmpv.c | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) (limited to 'video') diff --git a/video/out/vo_libmpv.c b/video/out/vo_libmpv.c index 1c2a8acba0..3caa457e17 100644 --- a/video/out/vo_libmpv.c +++ b/video/out/vo_libmpv.c @@ -245,16 +245,6 @@ void mp_render_context_set_control_callback(mpv_render_context *ctx, pthread_mutex_unlock(&ctx->control_lock); } -static void kill_cb(void *ptr) -{ - struct mpv_render_context *ctx = ptr; - - pthread_mutex_lock(&ctx->update_lock); - ctx->had_kill_update = true; - pthread_cond_broadcast(&ctx->update_cond); - pthread_mutex_unlock(&ctx->update_lock); -} - void mpv_render_context_free(mpv_render_context *ctx) { if (!ctx) @@ -269,7 +259,7 @@ void mpv_render_context_free(mpv_render_context *ctx) // context. The above removal guarantees it can't come back (so ctx->vo // can't change to non-NULL). if (atomic_load(&ctx->in_use)) { - kill_video_async(ctx->client_api, kill_cb, ctx); + kill_video_async(ctx->client_api); while (atomic_load(&ctx->in_use)) { // As long as the video decoders are not destroyed, they can still @@ -279,7 +269,7 @@ void mpv_render_context_free(mpv_render_context *ctx) if (ctx->dispatch) mp_dispatch_queue_process(ctx->dispatch, 0); - // Wait for kill_cb() or update() calls. + // Wait for update() calls. pthread_mutex_lock(&ctx->update_lock); if (!ctx->had_kill_update) pthread_cond_wait(&ctx->update_cond, &ctx->update_lock); -- cgit v1.2.3