GNOME Bugzilla – Bug 619943
[jpegenc] Crash if playing -> setcaps -> ready -> setcaps
Last modified: 2010-05-28 14:03:30 UTC
Jpegenc will crash if the following sequence of actions take place: 1) Create (jpegenc->row[x][y] are NULL) 2) Set to playing 3) set_caps takes place and calls '_resync' Piece of code form _resync: [code] if (!jpegenc->planar) { for (j = 0; j < jpegenc->v_max_samp * DCTSIZE; j++) { jpegenc->row[i][j] = g_realloc (jpegenc->row[i][j], width); jpegenc->line[i][j] = jpegenc->row[i][j]; } } [/code] 4) Everything goes fine, you set it to READY * At this point _reset is called Piece of code form _reset: [code] for (i = 0; i < 3; i++) { for (j = 0; j < 4 * DCTSIZE; j++) { g_free (enc->row[i][j]); } } [/code] 'row' is freed and non-null (oh oh) 5) set it to playing again 6) set_caps is called... crash on g_realloc! (double free) Patch follows.
Created attachment 162218 [details] [review] jpegenc: Keep variables in sane state after _reset When reseting, keep 'row' variables at a sane state after freeing to avoid it being freed again on _resync realloc when the element is reused. Fixes #619943
Fixed. commit e0c49a7590b1d554a5e6059edac125bf36b8f4d8 Author: Thiago Santos <thiago.sousa.santos@collabora.co.uk> Date: Fri May 28 10:43:36 2010 -0300 jpegenc: Keep variables in sane state after _reset When reseting, keep 'row' variables at a sane state after freeing to avoid it being freed again on _resync realloc when the element is reused. Fixes #619943