[Libva] [PATCH] Fix use-after-free in vaTerminate
Xiang, Haihao
haihao.xiang at intel.com
Thu Jun 5 17:41:48 PDT 2014
Thanks for the patch, is your issue similar to the following issue ?
https://bugs.freedesktop.org/show_bug.cgi?id=79587
The above issue has been fixed on the staging branch.
http://cgit.freedesktop.org/libva/commit/va/va.c?h=staging&id=d4988142a3f2256e38c5c5cdcdfc1b4f5f3c1ea9
Thanks
Haihao
> It looks like vaTerminate uses display content after it have been freed.
> This patch moves destruction after all usage.
>
> Signed-off-by: Nikolay Martynov <mar.kolya at gmail.com>
> ---
> va/va.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/va/va.c b/va/va.c
> index c770f0d..4f3be28 100644
> --- a/va/va.c
> +++ b/va/va.c
> @@ -515,15 +515,15 @@ VAStatus vaTerminate (
> free(old_ctx->vtable_vpp);
> old_ctx->vtable_vpp = NULL;
>
> - if (VA_STATUS_SUCCESS == vaStatus)
> - pDisplayContext->vaDestroy(pDisplayContext);
> -
> VA_TRACE_LOG(va_TraceTerminate, dpy);
>
> va_TraceEnd(dpy);
>
> va_FoolEnd(dpy);
>
> + if (VA_STATUS_SUCCESS == vaStatus)
> + pDisplayContext->vaDestroy(pDisplayContext);
> +
> return vaStatus;
> }
>
More information about the Libva
mailing list