From e890e6e8d8bd581ff19b038b5c7077e45cb9a60b Mon Sep 17 00:00:00 2001 From: Nicolas Dufresne Date: Wed, 12 Apr 2023 17:18:13 -0400 Subject: [PATCH] v4l2: Fix use after free of fmtdesc The decoder needs to force another enumeration of the format. For this it was clearing the v4l2object insternal list, leaving a fmtdesc pointer pointing to freed memory. This patch clears the fmtdesc pointer that has just been free. It also makes sure the probe function does not use the cached formats list. The probe function will restore the current fmtdesc pointer based on the currently configured pixelformat. Part-of: --- subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c b/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c index 8550910716..541fd72e7a 100644 --- a/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c +++ b/subprojects/gst-plugins-good/sys/v4l2/gstv4l2videodec.c @@ -591,7 +591,6 @@ gst_v4l2_video_dec_setup_capture (GstVideoDecoder * decoder) info.fps_n = self->v4l2output->info.fps_n; info.fps_d = self->v4l2output->info.fps_d; - gst_v4l2_object_clear_format_list (self->v4l2capture); gst_caps_replace (&self->probed_srccaps, NULL); self->probed_srccaps = gst_v4l2_object_probe_caps (self->v4l2capture, gst_v4l2_object_get_raw_caps ()); @@ -647,6 +646,11 @@ gst_v4l2_video_dec_setup_capture (GstVideoDecoder * decoder) use_acquired_caps: gst_caps_unref (caps); + /* catch possible bogus driver that don't enumerate the format it actually + * returned from G_FMT */ + if (!self->v4l2capture->fmtdesc) + goto not_negotiated; + output_state = gst_video_decoder_set_output_state (decoder, info.finfo->format, info.width, info.height, self->input_state);