From: Phil Roffe and David Grellscheid <philip.roffe@durham.ac.uk>
Date: Tue, 14 Apr 2009 18:43:12 +0000 (+0200)
Subject: Fixed by decrementing the i_refcount variable in the correct manner -
X-Git-Tag: 1.0.0-pre2~57
X-Git-Url: https://git.sesse.net/?a=commitdiff_plain;h=6cab63a2e5e4a53e135ee455244b89b1601f4e2a;p=vlc

Fixed by decrementing the i_refcount variable in the correct manner -
and therefore freeing the memory only when the i_refcount successfully
went to 0.

The problem was that i_refcount is an unsigned variable, and was being
decremented twice, once erroneously by mosaic_bridge, and then again in
the picture's original pf_release function. If i_refcount started at 1,
it wrapped to the maximum unsigned value rather than -1, failing the
refcount tests in the pf_release function.

Patch Authors: Phil Roffe and David Grellscheid

Signed-off-by: Antoine Cellerier <dionoea@videolan.org>
---

diff --git a/modules/stream_out/mosaic_bridge.c b/modules/stream_out/mosaic_bridge.c
index e7a8d85e80..4a8e6382e5 100644
--- a/modules/stream_out/mosaic_bridge.c
+++ b/modules/stream_out/mosaic_bridge.c
@@ -80,8 +80,6 @@ static void ReleasePicture( picture_t *p_pic )
 {
     assert( p_pic );
 
-    if( --p_pic->i_refcount > 0 )
-        return;
 
     if( p_pic->p_sys )
     {
@@ -91,9 +89,12 @@ static void ReleasePicture( picture_t *p_pic )
     }
     else
     {
-        free( p_pic->p_q );
-        free( p_pic->p_data_orig );
-        free( p_pic );
+        if( --p_pic->i_refcount == 0 )
+        {
+            free( p_pic->p_q );
+            free( p_pic->p_data_orig );
+            free( p_pic );
+        }
     }
 }