[Mesa-dev] [PATCH] st/va: avoid dereference after free
Emil Velikov
emil.l.velikov at gmail.com
Sat Mar 5 12:30:31 UTC 2016
Hi Thomas,
On 5 March 2016 at 12:07, Thomas Hindoe Paaboel Andersen
<phomes at gmail.com> wrote:
> ---
> src/gallium/state_trackers/va/image.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/gallium/state_trackers/va/image.c b/src/gallium/state_trackers/va/image.c
> index 2c42a98..92d014c 100644
> --- a/src/gallium/state_trackers/va/image.c
> +++ b/src/gallium/state_trackers/va/image.c
> @@ -280,6 +280,7 @@ vlVaDestroyImage(VADriverContextP ctx, VAImageID image)
> {
> vlVaDriver *drv;
> VAImage *vaimage;
> + VAStatus status;
>
> if (!ctx)
> return VA_STATUS_ERROR_INVALID_CONTEXT;
> @@ -294,8 +295,9 @@ vlVaDestroyImage(VADriverContextP ctx, VAImageID image)
>
> handle_table_remove(VL_VA_DRIVER(ctx)->htab, image);
> pipe_mutex_unlock(drv->mutex);
> + status = vlVaDestroyBuffer(ctx, vaimage->buf);
> FREE(vaimage);
> - return vlVaDestroyBuffer(ctx, vaimage->buf);
> + return status;
Nicely spotted !
Out of curiosity: did you notice this during code inspection or did it
pop up during testing ?
For the patch
Cc: "11.1 11.2" <mesa-stable at lists.freedesktop.org>
Reviewed-by: Emil Velikov <emil.l.velikov at gmail.com>
I'll push this in a couple of days unless someone beats me to it.
Thanks
Emil
More information about the mesa-dev
mailing list