From 468c78e30594310bed34d0d59b5544e4ef71f38e Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Wed, 12 Jul 2023 15:15:44 -0700 Subject: modules/rtv: perform gc immediately in cleanup_channel() Until channel context paths are distinct it's buggy to let the contexts linger while constructing the next channel's contexts. Originally when the gc was added here the intention was to support stuff like the "ref" module and get the channels settings wired up immediately with more focus on rtv's details in this area. Supporting stuff like contexts backing some layers persisting across channels, while the others were swapped out, seemed potentially interesting (and it still is). But the rkt stuff became prioritized as rtv is more like a fuzzer than anything despite being the default module. And rkt related activities will continue for now, so let's just get rtv less likely to crash. A reliable repro for triggering an ASAN UAF bug without this commit is: --seed=0x64af3b05 '--module=rtv,duration=1,context_duration=1,channels=compose,caption_duration=2,snow_duration=0,snow_module=none,log_channels=on' '--video=sdl,fullscreen=off,size=640x480' A few channels in blinds will UAF while updating taps stored in a freed context, because the previous channel has a blinds in the same layer as the newly setup channel, putting the contexts at exactly the same paths on-stream. There's probably another bug in here that I need to dig into, but coexisting contexts at the same path on-stream was never the intention. The syncronous immediate gc ensures nothing remains of the previous channel before constructing the new one at the same path. --- src/modules/rtv/rtv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/modules/rtv') diff --git a/src/modules/rtv/rtv.c b/src/modules/rtv/rtv.c index 9cf025a..445be0f 100644 --- a/src/modules/rtv/rtv.c +++ b/src/modules/rtv/rtv.c @@ -138,6 +138,8 @@ static void cleanup_channel(rtv_context_t *ctxt) ctxt->channel->settings_as_arg = NULL; ctxt->caption = ctxt->channel->caption = txt_free(ctxt->channel->caption); + + til_stream_gc_module_contexts(ctxt->til_module_context.stream); } @@ -222,8 +224,6 @@ static void setup_next_channel(rtv_context_t *ctxt, unsigned ticks) if (!ctxt->channel->module_ctxt) (void) til_module_create_context(ctxt->channel->module, ctxt->til_module_context.stream, rand_r(&ctxt->til_module_context.seed), ticks, ctxt->til_module_context.n_cpus, ctxt->channel->module_setup, &ctxt->channel->module_ctxt); - til_stream_gc_module_contexts(ctxt->til_module_context.stream); - ctxt->channel->last_on_time = now; } -- cgit v1.2.3