From 9a86275860fca9f4e2232342648bf293467e562e Mon Sep 17 00:00:00 2001 From: Elad Alon Date: Wed, 24 Apr 2019 11:41:32 +0200 Subject: [PATCH] Fix dangling pointers issue in LibvpxVp8Encoder::Encode() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit LibvpxVp8Encoder::Encode() creates a local instance of rtc::scoped_refptr, then sets members to point into the internal state of that I420BufferInterface. These pointers remain in place after the buffer is destroyed. This CL fixes the issue by deleting the references when the function exits. Bug: webrtc:10570 Change-Id: I9623e2ff3dd43e8fd1d1cc7696a3f28227d4544b Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/133882 Reviewed-by: Ilya Nikolaevskiy Reviewed-by: Erik Språng Commit-Queue: Elad Alon Cr-Commit-Position: refs/heads/master@{#27738} --- modules/video_coding/codecs/vp8/libvpx_vp8_encoder.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/video_coding/codecs/vp8/libvpx_vp8_encoder.cc b/modules/video_coding/codecs/vp8/libvpx_vp8_encoder.cc index 7f6f7f9436..c09934b1cd 100644 --- a/modules/video_coding/codecs/vp8/libvpx_vp8_encoder.cc +++ b/modules/video_coding/codecs/vp8/libvpx_vp8_encoder.cc @@ -922,6 +922,16 @@ int LibvpxVp8Encoder::Encode(const VideoFrame& frame, raw_images_[0].stride[VPX_PLANE_U] = input_image->StrideU(); raw_images_[0].stride[VPX_PLANE_V] = input_image->StrideV(); + struct CleanUpOnExit { + explicit CleanUpOnExit(vpx_image_t& raw_image) : raw_image_(raw_image) {} + ~CleanUpOnExit() { + raw_image_.planes[VPX_PLANE_Y] = nullptr; + raw_image_.planes[VPX_PLANE_U] = nullptr; + raw_image_.planes[VPX_PLANE_V] = nullptr; + } + vpx_image_t& raw_image_; + } clean_up_on_exit(raw_images_[0]); + for (size_t i = 1; i < encoders_.size(); ++i) { // Scale the image down a number of times by downsampling factor libyuv::I420Scale(