Skip to content

{d3d12,d3d11}decoder: Fix potential use after free

Seungha Yang requested to merge seungha.yang/gstreamer:d3ddec-output-writable-fix into main

A DPB buffer held by codec picture object may not be writable at the moment, then gst_buffer_make_writable() will unref passed buffer.

Specifically, the use after free or double free can happen if:

  • Crop meta of buffer copy is required because of non-zero top-left crop position
  • zero-copy is possible with crop meta
  • A picture was duplicated, interlaced h264 stream for example

Interlaced h264 stream with non-zero top-left crop position is not very common but it's possible configuration in theory.

Thus gst_buffer_make_writable() should be called with GstVideoCodecFrame.output_buffer directly.

Merge request reports