Bug 787442 – kms: fix crash if bo allocation failed when copying to dumb buffer

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 787442 - kms: fix crash if bo allocation failed when copying to dumb buffer


Summary:	kms: fix crash if bo allocation failed when copying to dumb buffer


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-bad
Version:	git master
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	1.12.3
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2017-09-08 13:02 UTC by Guillaume Desmottes
Modified:	2017-09-11 08:53 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
kms: set buffer to NULL if allocation failed (1.13 KB, patch) 2017-09-08 13:02 UTC, Guillaume Desmottes	needs-work	Details \| Review
kms: fix crash if bo allocation failed when copying to dumb buffer (1.44 KB, patch) 2017-09-08 13:23 UTC, Guillaume Desmottes	committed	Details \| Review

Description Guillaume Desmottes 2017-09-08 13:02:26 UTC

Comment 1 Guillaume Desmottes 2017-09-08 13:02:42 UTC

Created attachment 359399 [details] [review]
kms: set buffer to NULL if allocation failed

If bo allocation failed we destroy the buffer and return GST_FLOW_ERROR,
but the @buffer pointer was still pointing to the address of the
destroyed buffer. gst_kms_sink_copy_to_dumb_buffer() was then trying to
unref it when bailing out causing a crash.

Best to return NULL rather than an invalid pointer if the allocation
failed.

Comment 2 Nicolas Dufresne (ndufresne) 2017-09-08 13:09:45 UTC

Review of attachment 359399 [details] [review]:

gst_buffer_new() will abort on failure. I'd say, remove the check and move the bo allocation up.

Comment 3 Nicolas Dufresne (ndufresne) 2017-09-08 13:12:17 UTC

Review of attachment 359399 [details] [review]:

While at it, can you fix the other code. gst_kms_sink_copy_to_dumb_buffer() does not initialize buf, and assuming that gst_buffer_pool_acquire_buffer() have set it to NULL is wrong there (just like assuming it was left untouched, but this is cleaner to do so of course.

Comment 4 Guillaume Desmottes 2017-09-08 13:23:03 UTC

Created attachment 359400 [details] [review]
kms: fix crash if bo allocation failed when copying to dumb buffer

If bo allocation failed we destroy the buffer and return GST_FLOW_ERROR,
but the @buffer pointer was still pointing to the address of the
destroyed buffer. gst_kms_sink_copy_to_dumb_buffer() was then trying to
unref it when bailing out causing a crash.

Leave @buffer untouched if allocation failed to fix the crash.
Also remove the check on *buffer being not NULL as gst_buffer_new()
will abort if it failed.

Comment 5 Nicolas Dufresne (ndufresne) 2017-09-08 13:29:50 UTC

Attachment 359400 [details] pushed as 7e38fb5 - kms: fix crash if bo allocation failed when copying to dumb buffer

Comment 6 Nicolas Dufresne (ndufresne) 2017-09-08 13:37:07 UTC

Also in 1.12, 2b8edd9c0f23e1aedc68fd2271931bce707d2ac4