fdo-mirrors/mesa
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/mesa/mesa.git synced 2026-05-05 20:28:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

frontends/va: Fix use after free with EFC

Browse source 
This happens when the source surface is destroyed before being used
in encoding operation. It also needs to disable EFC in this case.

Fixes: a7469a9ffd ("frontends/va: Rework EFC logic")
Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/11653
Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/30562>
This commit is contained in:
David Rosca 2024-08-08 08:59:13 +02:00 committed by Marge Bot
parent 1f34eb527c
commit 79ce0e3b2f
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/gallium/frontends/va/surface.c
View file

@ -92,8 +92,14 @@ vlVaDestroySurfaces(VADriverContextP ctx, VASurfaceID *surface_list, int num_sur
if (surf->fence && surf->ctx->decoder && surf->ctx->decoder->destroy_fence)
surf->ctx->decoder->destroy_fence(surf->ctx->decoder, surf->fence);
}
if (drv->last_efc_surface == surf)
drv->last_efc_surface = NULL;
if (drv->last_efc_surface) {
vlVaSurface *efc_surf = drv->last_efc_surface;
if (efc_surf == surf || efc_surf->efc_surface == surf) {
efc_surf->efc_surface = NULL;
drv->last_efc_surface = NULL;
drv->efc_count = -1;
}
}
util_dynarray_fini(&surf->subpics);
FREE(surf);
handle_table_remove(drv->htab, surface_list[i]);