[MPlayer-dev-eng] [PATCH] fix use-after-free in vo_vdpau

[Reimar Döffinger]

On Tue, Oct 15, 2013 at 12:46:06PM +0400, Rinat Ibragimov wrote:
> 
> Вторник, 15 октября 2013, 8:24 +02:00 от Reimar Döffinger <Reimar.Doeffinger at gmx.de>:
> > On 14.10.2013, at 22:01, Alexander Strasser <eclipse7 at gmx.net> wrote:
> > > Hi,
> > > 
> > > On 2013-10-14 19:56 +0400, Rinat Ibragimov wrote:
> > >> Hi, I've faced use-after-free in vo_vdpau.c. The issue may arise when one switches to
> > >> next video in playlist. Here is a patch that should prevent that.
> > > 
> > >  keeping allocated arrays and associated size fields in sync,
> > > seems like a good idea to me. Beware I didn't read the code
> > > closely so there might well be more underlying problems.
> > 
> > Since the pointers are set to NULL I can't see how a use-after-free would happen, a valgrind log would help.
> 
> It's not exactly use-after-free, more like NULL pointer dereference. Sorry for misleading.

That makes more sense, however your approach isn't quite right IMHO.
The sizes are not set to 0 here, because they are not supposed to be
used at any point after uninit.
What went wrong here is actually that in preinit we end up using
those _size variables right before we initialize them (to 0).
Which is kind of the reason why I kind of prefer not setting the
counts to 0 in uninit, since that should result in such relatively easy
to debug crashes (I kind of follow the crashes == next best
thing after bug-free philosophy).
I never noticed it because I usually use -fixed-vo and rarely
play more than one video anyway.
I believe it should be fixed in r36467.