[PATCH v6 0/1] MR9858: qasf: Fix use-after-free of filter in reader callback.
If a asf reader callback is invoked after its corresponding reader has been destroyed, it will still try to use the reader via asf_callback->filter, resulting in use-after-free. This commits sets asf_callback->filter to NULL when the reader is destroyed, and adds NULL checks to reader callback functions to make them no-op after the reader is destroyed. Fixes: Bug 59159 -- v6: qasf: Don't start a stopped stream in media_seeking_ChangeCurrent. https://gitlab.winehq.org/wine/wine/-/merge_requests/9858
From: Yuxuan Shui <yshui@codeweavers.com> Otherwise we get a running WMReader inside a stoppped asf reader, which is unexpected by other parts of the code. For example, asf_reader_destroy expects the WMReader to have already been stopped. If it is not, use of freed memory may result from race condition between the WMReader invoking reader callback (which references the asf_reader) and asf_reader_destroy freeing asf_reader's resources. Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=59159 --- dlls/qasf/asfreader.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/dlls/qasf/asfreader.c b/dlls/qasf/asfreader.c index f6b4b499883..41f0a5f4a7b 100644 --- a/dlls/qasf/asfreader.c +++ b/dlls/qasf/asfreader.c @@ -327,7 +327,8 @@ static HRESULT WINAPI media_seeking_ChangeCurrent(IMediaSeeking *iface) struct asf_stream *stream = impl_from_IMediaSeeking(iface); struct asf_reader *filter = asf_reader_from_asf_stream(stream); struct SourceSeeking *seek = &stream->seek; - HRESULT hr; + WMT_STATUS filter_status = filter->status; + HRESULT hr = S_OK; UINT i; TRACE("iface %p.\n", iface); @@ -340,7 +341,8 @@ static HRESULT WINAPI media_seeking_ChangeCurrent(IMediaSeeking *iface) } /* Stop the reader. */ - hr = asf_reader_stop_stream(filter); + if (filter_status == WMT_STARTED && FAILED(hr = asf_reader_stop_stream(filter))) + return hr; /* Send end flush commands downstream. */ for (i = 0; i < filter->stream_count; ++i) @@ -349,8 +351,8 @@ static HRESULT WINAPI media_seeking_ChangeCurrent(IMediaSeeking *iface) WARN("Failed to EndFlush for stream %u.\n", i); } - /* Start the reader. */ - if (hr == S_OK) + /* Start the reader again if it was started. */ + if (filter_status == WMT_STARTED) hr = asf_reader_start_stream(filter, seek->llCurrent, seek->llDuration, seek->dRate); return hr; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/9858
This merge request was approved by Elizabeth Figura. -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9858
participants (3)
-
Elizabeth Figura (@zfigura) -
Yuxuan Shui
-
Yuxuan Shui (@yshui)