From c3781b2d6837389c0eb6af6ad0e1998c0df76bc1 Mon Sep 17 00:00:00 2001 From: NRK Date: Wed, 28 Jun 2023 07:09:42 +0600 Subject: [PATCH] vo_drm: fix null dereference and using closed fd when vo_drm_init() fails inside of preinit(), uninit() will be called as part of cleanup with vo->drm being NULL and thus `drm->fd` would lead to null dereference. and since vo_drm_uninit() closes drm->fd, destroy_framebuffer() ends up using a closed fd. according to the drm-gem manpage [0]: > If you close the DRM file-descriptor, all open dumb-buffers are > automatically destroyed. so remove the destroy_framebuffer() loop entirely, which fixes both the issues. [0]: https://www.systutorials.com/docs/linux/man/7-drm-gem/ --- video/out/vo_drm.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/video/out/vo_drm.c b/video/out/vo_drm.c index 1b1fe81e05..96d02c5f00 100644 --- a/video/out/vo_drm.c +++ b/video/out/vo_drm.c @@ -382,8 +382,6 @@ static void flip_page(struct vo *vo) static void uninit(struct vo *vo) { struct priv *p = vo->priv; - struct vo_drm_state *drm = vo->drm; - int fd = drm->fd; vo_drm_uninit(vo); @@ -391,9 +389,6 @@ static void uninit(struct vo *vo) swapchain_step(vo); } - for (int i = 0; i < p->buf_count; ++i) - destroy_framebuffer(fd, p->bufs[i]); - talloc_free(p->last_input); talloc_free(p->cur_frame); talloc_free(p->cur_frame_cropped);