From patchwork Thu Jul 18 04:28:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kieran Bingham <kieran.bingham@ideasonboard.com>
X-Patchwork-Id: 1716
Return-Path: <kieran.bingham@ideasonboard.com>
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 9242F60C00
	for <libcamera-devel@lists.libcamera.org>;
	Thu, 18 Jul 2019 06:28:09 +0200 (CEST)
Received: from localhost.localdomain
	(cpc89242-aztw30-2-0-cust488.18-1.cable.virginm.net [86.31.129.233])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id E95AA31C;
	Thu, 18 Jul 2019 06:28:08 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1563424089;
	bh=uXmmhuX/O3zhw/vaKMrDAsM2Alhe4WV4ESxtisdHgmM=;
	h=From:To:Cc:Subject:Date:From;
	b=iulhCNABBr1GnEm6S0+x7nrjqoImntfw7/YHO1uKQJp/6kV7kuLoJKnk2n/IL8JCU
	mjEsvronoaoTQGsSWN9LQhdBSvE0/U81Y8BPlaFT/bGAzpEcZcb69OIOvwyAUv6CtN
	a4cam8uMMyK3wrwxdJnzZfSrqBrZE616moDXvr2Y=
From: Kieran Bingham <kieran.bingham@ideasonboard.com>
To: LibCamera Devel <libcamera-devel@lists.libcamera.org>
Date: Thu, 18 Jul 2019 05:28:05 +0100
Message-Id: <20190718042805.26595-1-kieran.bingham@ideasonboard.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH] test: camera: buffer_import: clear video
	pointer
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jul 2019 04:28:09 -0000

The FrameSink::cleanup() call checks if video_ is set before cleaning up
and then deleting the object.

If the cleanup() call is called twice for any reason, this will
encounter a use-after-free as the video_ pointer is not cleared after
deletion.

Whilst cleanup() is not currently called twice consecutively, to prevent
errors in the future, make it explicit that the object has been deleted
by clearing the stale pointer.

Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund@ragnatech.se>
---
 test/camera/buffer_import.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/test/camera/buffer_import.cpp b/test/camera/buffer_import.cpp
index d6e4fd5bf6ad..400d02b350c1 100644
--- a/test/camera/buffer_import.cpp
+++ b/test/camera/buffer_import.cpp
@@ -109,7 +109,9 @@ public:
 			video_->streamOff();
 			video_->releaseBuffers();
 			video_->close();
+
 			delete video_;
+			video_ = nullptr;
 		}
 
 		if (media_)