From b249494bd62713a5a2fcb1cd4180e5001643f2ac Mon Sep 17 00:00:00 2001 From: Vito Caputo Date: Mon, 17 Jul 2023 16:59:15 -0700 Subject: main: fix UAF bug on shutdown When introducing the **fragment_ptr model in 5a0776f, the rototiller_thread() introduced a local place to put the pointer to point at when rendering. But this pointer then ends up outliving the thread on shutdown within any queued frames until quiescent. Fixed in the obvious way by sticking it in rototiller_t instead. --- src/main.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/main.c b/src/main.c index eda0b4e..1abae80 100644 --- a/src/main.c +++ b/src/main.c @@ -55,6 +55,7 @@ typedef struct rototiller_t { const til_module_t *module; til_module_context_t *module_context; til_stream_t *stream; + til_fb_fragment_t *fragment; pthread_t thread; til_fb_t *fb; struct timeval start_tv; @@ -334,14 +335,13 @@ static void * rototiller_thread(void *_rt) struct timeval now; for (;;) { - til_fb_fragment_t *fragment; unsigned ticks; - fragment = til_fb_page_get(rt->fb); + rt->fragment = til_fb_page_get(rt->fb); gettimeofday(&now, NULL); ticks = get_ticks(&rt->start_tv, &now, rt->ticks_offset); - til_module_render(rt->module_context, rt->stream, ticks, &fragment); - til_fb_fragment_submit(fragment); + til_module_render(rt->module_context, rt->stream, ticks, &rt->fragment); + til_fb_fragment_submit(rt->fragment); if (rt->args.print_module_contexts || rt->args.print_pipes) { /* render threads are idle at this point */ -- cgit v1.2.3