mirror/motion
1
0
Fork 0
mirror of https://github.com/Motion-Project/motion.git synced 2026-06-11 23:34:36 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix dangling pointer cnt->current_image after resize

Browse Source 
cnt->current_image because a dangling pointer after image_ring_resize
because it is pointing to cnt->imgs.image_ring which is reallocated in
that routine.  motion_loop will then store cnt->current_image in
old_image which it can then read from.

Reallocations are rare, once in init to size 1, then once to the final
size.  I apparently have a bad USB link and I was seeing a crash
pointing to bad data, after that camera started, then had an error and
crashed in process_image_ring(cnt, IMAGE_BUFFER_FLUSH);
it hadn't yet resized to the normal ring buffer size.  That got me
trying valgrind with a ring buffer size limit of 1 which found this
bug.
This commit is contained in:
David Fries
2014-08-23 14:04:22 -05:00
parent ea7e94863a
commit 37360d858d
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
motion.c
View File

@@ -134,6 +134,7 @@ static void image_ring_resize(struct context *cnt, int new_size)
/* Point to the new ring */
cnt->imgs.image_ring = tmp;
cnt->current_image = NULL;
cnt->imgs.image_ring_size = new_size;
}
@@ -168,6 +169,7 @@ static void image_ring_destroy(struct context *cnt)
free(cnt->imgs.image_ring);
cnt->imgs.image_ring = NULL;
cnt->current_image = NULL;
cnt->imgs.image_ring_size = 0;
}