Details
-
Bug
-
Resolution: Fixed
-
P2: Important
-
5.12.0
-
None
Description
Deleting a QCamera instance and then returning to the event loop causes a read access violation due to the deferred delete of DirectShowSampleGrabber. The QCamera destructor leads to the immediate release of DSServicePlugin and hence a call to CoUninitialize, however DirectShowSampleGrabber contains a COM pointer that it still thinks is valid, and tries to use in the deferred delete, leading to the read access violation.
Min repro:
int main(int argc, char *argv[]) { QCoreApplication app(argc, argv); // make sure you have at least one camera on the system QCamera *camera = new QCamera(QCameraInfo::defaultCamera()); camera->setCaptureMode(QCamera::CaptureStillImage); camera->start(); QTimer::singleShot(0, [&] { delete camera; }); return app.exec(); }
Violation is raised at line 148 of qtmultimedia/src/plugins/directshow/common/directshowsamplegrabber.cpp once control returns to the event loop after the deletion of the QCamera instance.
The deferred delete event is set up at line 440 of qtmultimedia/src/plugins/directshow/camera/dscamerasession.cpp
Not sure what the best fix would be, perhaps DirectShowSampleGrabber should call addRefCount() and releaseRefCount() from dsserviceplugin.cpp to ensure the plugin lifetime outasts its own lifetime.
Attachments
For Gerrit Dashboard: QTBUG-73461 | ||||||
---|---|---|---|---|---|---|
# | Subject | Branch | Project | Status | CR | V |
252116,3 | DirectShow: Fix crash when camera is being destroyed | 5.12 | qt/qtmultimedia | Status: MERGED | +2 | 0 |