Summary
The ReadWriteLocker class in src/video/videoframe.h has an uninitialized pointer member that causes undefined behavior when default-constructed instances are destroyed.
Details
// videoframe.h
class ReadWriteLocker {
public:
ReadWriteLocker() = default; // lock_ is NOT initialized
// ...
~ReadWriteLocker()
{
if (lock_ != nullptr) { // reads uninitialized memory!
lock_->unlock();
}
}
private:
QReadWriteLock* lock_; // no default initializer
};Default-constructed ReadWriteLocker instances are returned on error paths in toGenericObject() (line 708) and toToxYUVFrame() (line 320). When these are destroyed, the destructor reads the uninitialized lock_ pointer and may call unlock() on a garbage address.
Suggested Fix
private:
QReadWriteLock* lock_ = nullptr;One-character fix, eliminates an entire class of UB.
Impact
Potential crash on any video frame conversion error path. Would be caught by ASan/MSan.
Summary
The
ReadWriteLockerclass insrc/video/videoframe.hhas an uninitialized pointer member that causes undefined behavior when default-constructed instances are destroyed.Details
Default-constructed
ReadWriteLockerinstances are returned on error paths intoGenericObject()(line 708) andtoToxYUVFrame()(line 320). When these are destroyed, the destructor reads the uninitializedlock_pointer and may callunlock()on a garbage address.Suggested Fix
One-character fix, eliminates an entire class of UB.
Impact
Potential crash on any video frame conversion error path. Would be caught by ASan/MSan.