gtk: Fix double-free when OpenGL can't be initialised (!2565) · Merge requests · GStreamer / gstreamer

Bastien Nocera requested to merge hadess/gstreamer:wip/hadess/gtkgstglwidget-double-free into main Jun 07, 2022

gtk_gl_area_get_error() doesn't return a copy of the error, but just the error. If initialising OpenGL fails, then GtkGstGLWidget will consume the error, and cause GTK to try and display freed memory.

==50914== Invalid read of size 8
==50914==    at 0x4C4CB8A: gtk_gl_area_draw_error_screen (gtkglarea.c:663)
==50914==    by 0x4C4CB8A: gtk_gl_area_draw (gtkglarea.c:687)
==50914==    by 0x4E061CA: gtk_widget_draw_internal (gtkwidget.c:7084)
==50914==    by 0x4BAEFB1: gtk_container_propagate_draw (gtkcontainer.c:3854)
==50914==    by 0x4D4B6BF: gtk_stack_render (gtkstack.c:2207)
==50914==    by 0x4BB4B03: gtk_css_custom_gadget_draw (gtkcsscustomgadget.c:159)
==50914==    by 0x4BBA4C4: gtk_css_gadget_draw (gtkcssgadget.c:885)
==50914==    by 0x4D4D780: gtk_stack_draw (gtkstack.c:2119)
==50914==    by 0x4E061CA: gtk_widget_draw_internal (gtkwidget.c:7084)
==50914==    by 0x4BAEFB1: gtk_container_propagate_draw (gtkcontainer.c:3854)
==50914==    by 0x4BAF0C3: gtk_container_draw (gtkcontainer.c:3674)
==50914==    by 0x4E061CA: gtk_widget_draw_internal (gtkwidget.c:7084)
==50914==    by 0x4BAEFB1: gtk_container_propagate_draw (gtkcontainer.c:3854)
==50914==  Address 0x187a0818 is 8 bytes inside a block of size 16 free'd
==50914==    at 0x48480E4: free (vg_replace_malloc.c:872)
==50914==    by 0x49A5B8C: g_free (gmem.c:218)
==50914==    by 0x49C1013: g_slice_free1 (gslice.c:1183)
==50914==    by 0x4990DE4: g_error_free (gerror.c:870)
==50914==    by 0x4990FE9: g_clear_error (gerror.c:1052)
==50914==    by 0x1A489780: _get_gl_context (gtkgstglwidget.c:540)
==50914==    by 0x1A4863CB: gst_gtk_invoke_func (gstgtkutils.c:39)
==50914==    by 0x49A3834: g_main_context_invoke_full (gmain.c:6137)
==50914==    by 0x1A486450: gst_gtk_invoke_on_main (gstgtkutils.c:59)
==50914==    by 0x1A48A29E: gtk_gst_gl_widget_init_winsys (gtkgstglwidget.c:632)
==50914==    by 0x1A4887E7: gst_gtk_gl_sink_start (gstgtkglsink.c:267)
==50914==    by 0x6579810: gst_base_sink_change_state (gstbasesink.c:5662)
==50914==  Block was alloc'd at
==50914==    at 0x484586F: malloc (vg_replace_malloc.c:381)
==50914==    by 0x49A9278: g_malloc (gmem.c:125)
==50914==    by 0x49C1BA5: g_slice_alloc (gslice.c:1072)
==50914==    by 0x49C3BCC: g_slice_alloc0 (gslice.c:1098)
==50914==    by 0x499096B: g_error_allocate (gerror.c:708)
==50914==    by 0x4990AF1: UnknownInlinedFun (gerror.c:722)
==50914==    by 0x4990AF1: g_error_copy (gerror.c:892)
==50914==    by 0x4C4B9F9: gtk_gl_area_set_error (gtkglarea.c:1036)
==50914==    by 0x4C4BAF7: gtk_gl_area_real_create_context (gtkglarea.c:346)
==50914==    by 0x4B21B28: _gtk_marshal_OBJECT__VOIDv (gtkmarshalers.c:2730)
==50914==    by 0x4920B78: UnknownInlinedFun (gclosure.c:893)
==50914==    by 0x4920B78: g_signal_emit_valist (gsignal.c:3406)
==50914==    by 0x4920CB2: g_signal_emit (gsignal.c:3553)
==50914==    by 0x4C4B927: gtk_gl_area_realize (gtkglarea.c:308)

Reproduced by running:

MESA_GL_VERSION_OVERRIDE=2.7 totem

See https://gitlab.gnome.org/GNOME/totem/-/issues/522

Edited Jun 07, 2022 by Bastien Nocera

gtk: Fix double-free when OpenGL can't be initialised

Merge request reports