VAAPI: fix use after free in CVAAPIContext::DestroyContext #16763
Conversation
Commit cfd5959 ("VAAPI: add error and info callbacks") added calls into vaSetInfoCallback() and vaSetErrorCallback() in CVAAPIContext::DestroyContext(). However, those calls are done after vaTerminate(m_display) which frees the context, causing use after free. Fix that by only performing the callback removal if vaTerminate() fails. Also, set m_display to NULL after a successful vaTerminate() to avoid similar issues being hidden in the future.
anssih
added
Type: Fix
|
Thanks much. I am not a friend of the "indent" when using #ifdef - but there are arguments for it (debugging code where it is evaluated to true) and against. |
|
should these callbacks be done before |
|
I think that would work as well. I believe it is only a cosmetic difference as the context the callbacks are stored in is destroyed anyway. But I guess I could be wrong :) And we would avoid the additional conditional. |
It's up to you. I'm fine either way. I think I did it this way originally because I wanted to catch any issues with |
Ah, good point, that's probably why I kept the calling order. So I do prefer it this way after all :) I also doubt vaTerminate() ever logs anything, but that depends on the backend as well so one could make a backend that does log. |
VAAPI: fix use after free in CVAAPIContext::DestroyContext
Commit cfd5959 ("VAAPI: add error and info callbacks") added calls
into vaSetInfoCallback() and vaSetErrorCallback() in
CVAAPIContext::DestroyContext().
However, those calls are done after vaTerminate(m_display) which frees
the context, causing use after free.
Fix that by only performing the callback removal if vaTerminate() fails.
Also, set m_display to NULL after a successful vaTerminate() to avoid
similar issues being hidden in the future.