Skip to content

Commit

Permalink
Fix frame double-free
Browse files Browse the repository at this point in the history
Decrement refcnt and load the refcnt should be in 1 instruction in order to
prevent data race in a multithreading environment.
  • Loading branch information
Xin Xie authored and nilfm99 committed Jun 12, 2024
1 parent b24c3d6 commit 4c0e631
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 5 deletions.
4 changes: 2 additions & 2 deletions libvmaf/src/picture.c
Original file line number Diff line number Diff line change
Expand Up @@ -124,8 +124,8 @@ int vmaf_picture_unref(VmafPicture *pic) {
if (!pic) return -EINVAL;
if (!pic->ref) return -EINVAL;

vmaf_ref_fetch_decrement(pic->ref);
if (vmaf_ref_load(pic->ref) == 0) {
const long old_cnt = vmaf_ref_fetch_decrement(pic->ref);
if (old_cnt == 1) {
const VmafPicturePrivate *priv = pic->priv;
priv->release_picture(pic, priv->cookie);
free(pic->priv);
Expand Down
4 changes: 2 additions & 2 deletions libvmaf/src/ref.c
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,9 @@ void vmaf_ref_fetch_increment(VmafRef *ref)
atomic_fetch_add(&ref->cnt, 1);
}

void vmaf_ref_fetch_decrement(VmafRef *ref)
long vmaf_ref_fetch_decrement(VmafRef *ref)
{
atomic_fetch_sub(&ref->cnt, 1);
return atomic_fetch_sub(&ref->cnt, 1);
}

long vmaf_ref_load(VmafRef *ref)
Expand Down
2 changes: 1 addition & 1 deletion libvmaf/src/ref.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ typedef struct VmafRef {

int vmaf_ref_init(VmafRef **ref);
void vmaf_ref_fetch_increment(VmafRef *ref);
void vmaf_ref_fetch_decrement(VmafRef *ref);
long vmaf_ref_fetch_decrement(VmafRef *ref);
long vmaf_ref_load(VmafRef *ref);
int vmaf_ref_close(VmafRef *ref);

Expand Down

0 comments on commit 4c0e631

Please sign in to comment.