[MPlayer-dev-eng] [PATCH] fix use-after-free in vo_vdpau
Rinat Ibragimov
ibragimovrinat at mail.ru
Tue Oct 15 10:46:06 CEST 2013
Вторник, 15 октября 2013, 8:24 +02:00 от Reimar Döffinger <Reimar.Doeffinger at gmx.de>:
> On 14.10.2013, at 22:01, Alexander Strasser <eclipse7 at gmx.net> wrote:
> > Hi,
> >
> > On 2013-10-14 19:56 +0400, Rinat Ibragimov wrote:
> >> Hi, I've faced use-after-free in vo_vdpau.c. The issue may arise when one switches to
> >> next video in playlist. Here is a patch that should prevent that.
> >
> > keeping allocated arrays and associated size fields in sync,
> > seems like a good idea to me. Beware I didn't read the code
> > closely so there might well be more underlying problems.
>
> Since the pointers are set to NULL I can't see how a use-after-free would happen, a valgrind log would help.
It's not exactly use-after-free, more like NULL pointer dereference. Sorry for misleading.
Here is gdb backtrace on recent (2013-10-14) source snapshot:
Program received signal SIGSEGV, Segmentation fault.
mark_vdpau_objects_uninitialized () at libvo/vo_vdpau.c:648
648 eosd_surfaces[i].surface = VDP_INVALID_HANDLE;
(gdb) bt
#0 mark_vdpau_objects_uninitialized () at libvo/vo_vdpau.c:648
#1 win_x11_init_vdpau_procs () at libvo/vo_vdpau.c:413
#2 0x00005555556b79b5 in preinit (arg=<optimized out>) at libvo/vo_vdpau.c:1293
#3 0x000055555568f022 in init_best_video_out (vo_list=0x0) at libvo/video_out.c:358
#4 0x000055555568967f in reinit_video_chain () at mplayer.c:2326
#5 0x000055555567a546 in main (argc=4, argv=0x7fffffffe338) at mplayer.c:3612
(gdb)
You need video with subtitles to trigger the bug. Put multiple copies of the same video
with subtitles, wait for first subtitle appearance, then press ENTER to switch to a next
video.
On line 648 eosd_surfaces is NULL, but eosd_surface_count == 512.
---
Rinat
More information about the MPlayer-dev-eng
mailing list