From 76c5eb4654a657cc65d9f0bb77e7d343fd20ada6 Mon Sep 17 00:00:00 2001 From: Nicolas Dufresne Date: Wed, 12 Apr 2023 17:18:13 -0400 Subject: [PATCH] v4l2: Fix use after free of fmtdesc The decoder needs to force another enumeration of the format. For this it was clearing the v4l2object insternal list, leaving a fmtdesc pointer pointing to freed memory. This patch clears the fmtdesc pointer that has just been free. It also makes sure the probe function does not use the cached formats list. The probe function will restore the current fmtdesc pointer based on the currently configured pixelformat. Part-of: --- subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c b/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c index 8550910..541fd72 100644 --- a/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c +++ b/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c @@ -591,7 +591,6 @@ gst_v4l2_video_dec_setup_capture (GstVideoDecoder * decoder) info.fps_n = self->v4l2output->info.fps_n; info.fps_d = self->v4l2output->info.fps_d; - gst_v4l2_object_clear_format_list (self->v4l2capture); gst_caps_replace (&self->probed_srccaps, NULL); self->probed_srccaps = gst_v4l2_object_probe_caps (self->v4l2capture, gst_v4l2_object_get_raw_caps ()); @@ -647,6 +646,11 @@ gst_v4l2_video_dec_setup_capture (GstVideoDecoder * decoder) use_acquired_caps: gst_caps_unref (caps); + /* catch possible bogus driver that don't enumerate the format it actually + * returned from G_FMT */ + if (!self->v4l2capture->fmtdesc) + goto not_negotiated; + output_state = gst_video_decoder_set_output_state (decoder, info.finfo->format, info.width, info.height, self->input_state); -- 2.7.4