mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-10-31 22:25:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
pipewire/spa/plugins
History
Barnabás Pőcze 7647ea7c83 spa: support: loop: fix use-after-free when loop is reentered 
The core of the issue is the following: what happens if an
active source is destroyed before it could be dispatched?

For loop-managed sources (`struct source_impl`) this was addressed
by storing all destroyed sources in a list, and only freeing them
after dispatching has been finished. (0eb73f0f06)
This approach works for both strictly single-threaded
and `pw_thread_loop` loops assuming the loop is not
reentered.

However, if the loop is reentered, there can still be issues.
Assume that in one iteration sources A and B are active,
and returned from the system call, and source B is destroyed
before the loop starts dispatching. Consider what happens when
"A" is dispatched first, and it reenters the loop with timeout 0.
Imagine there are no new events, so `loop_iterate()` will immediately
return, but it will first destroy everything in the destroy list
(this is done at the end of `loop_iterate()`).
And herein lies the problem. In the previous iteration,
there exists a `spa_poll_event` object which points to source "B",
but that has just been destroyed at the end of the recursive
iteration. This will trigger a use-after-free once the previous
iteration inspects it.

Fix that by processing the destroy list right after first
processing the returned `spa_poll_event` objects, and
"detach" the source from the loop and its iterations
in `process_destroy()` before the source is destroyed.

See #2114 #2147
2022-03-06 18:40:43 +00:00
..
aec fix compilation 2022-02-17 16:11:22 +01:00
alsa alsa: improve latency update 2022-03-04 17:21:17 +01:00
audioconvert channelmix: improve disabled flag 2022-03-04 17:21:11 +01:00
audiomixer spa: clamp required alignment to cpu alignment 2022-01-28 11:49:06 +01:00
audiotestsrc Use configured quantum_limit instead of hardcoded value 2022-01-12 17:50:12 +01:00
bluez5 bluez5: a2dp-sink: stop flushing if source was removed 2022-03-06 16:47:25 +02:00
control buffers: make alignment optional 2022-01-03 12:32:26 +01:00
ffmpeg treewide: meson.build: use dependency variable for SPA 2021-12-28 18:34:06 +01:00
jack buffers: make alignment optional 2022-01-03 12:32:26 +01:00
libcamera buffers: make alignment optional 2022-01-03 12:32:26 +01:00
support spa: support: loop: fix use-after-free when loop is reentered 2022-03-06 18:40:43 +00:00
test buffers: make alignment optional 2022-01-03 12:32:26 +01:00
v4l2 meson: enable some more warnings 2022-01-27 11:07:17 +01:00
videoconvert buffers: make alignment optional 2022-01-03 12:32:26 +01:00
videotestsrc buffers: make alignment optional 2022-01-03 12:32:26 +01:00
volume Use configured quantum_limit instead of hardcoded value 2022-01-12 17:50:12 +01:00
vulkan buffers: make alignment optional 2022-01-03 12:32:26 +01:00
meson.build module-echo-cancel: Move backends to dynamic libaries 2022-02-15 15:45:46 +00:00