[Mesa-dev] [PATCH] st/va: avoid dereference after free
Thomas H.P. Andersen
phomes at gmail.com
Sun Mar 6 09:08:57 UTC 2016
On Sat, Mar 5, 2016 at 1:30 PM, Emil Velikov <emil.l.velikov at gmail.com>
wrote:
> Hi Thomas,
>
> On 5 March 2016 at 12:07, Thomas Hindoe Paaboel Andersen
> <phomes at gmail.com> wrote:
> > ---
> > src/gallium/state_trackers/va/image.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/gallium/state_trackers/va/image.c
> b/src/gallium/state_trackers/va/image.c
> > index 2c42a98..92d014c 100644
> > --- a/src/gallium/state_trackers/va/image.c
> > +++ b/src/gallium/state_trackers/va/image.c
> > @@ -280,6 +280,7 @@ vlVaDestroyImage(VADriverContextP ctx, VAImageID
> image)
> > {
> > vlVaDriver *drv;
> > VAImage *vaimage;
> > + VAStatus status;
> >
> > if (!ctx)
> > return VA_STATUS_ERROR_INVALID_CONTEXT;
> > @@ -294,8 +295,9 @@ vlVaDestroyImage(VADriverContextP ctx, VAImageID
> image)
> >
> > handle_table_remove(VL_VA_DRIVER(ctx)->htab, image);
> > pipe_mutex_unlock(drv->mutex);
> > + status = vlVaDestroyBuffer(ctx, vaimage->buf);
> > FREE(vaimage);
> > - return vlVaDestroyBuffer(ctx, vaimage->buf);
> > + return status;
>
> Nicely spotted !
> Out of curiosity: did you notice this during code inspection or did it
> pop up during testing ?
>
Thanks for the review! I only saw it by inspection. I am just poking around
a bit to get to know the code.
>
> For the patch
>
> Cc: "11.1 11.2" <mesa-stable at lists.freedesktop.org>
> Reviewed-by: Emil Velikov <emil.l.velikov at gmail.com>
>
> I'll push this in a couple of days unless someone beats me to it.
>
> Thanks
> Emil
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/mesa-dev/attachments/20160306/916a8848/attachment.html>
More information about the mesa-dev
mailing list