Skip to content

Bug: (Maybe) use after free with SetVideoSettings #1344

Description

@jeiea

OS

Windows 11

OBS Studio Version

32.1.2

obs-websocket Version

5.1.0?

OBS Studio Log / Crash URL

https://gist.github.com/jeiea/77aab9ead615dbcb95ef1d3b5d385f6b

Steps to Reproduce

  1. Start OBS with Virtual Camera available but inactive. Ensure no output is running.
  2. Create a scene for temporary sources.
  3. Call SetVideoSettings with:
    • Base/output resolution: 1920x1080
    • FPS: 60000/1001
  4. Create and remove 64 disabled browser_source inputs in the temporary scene.
  5. Call GetVideoSettings. This should succeed and confirms that OBS is still responsive.
  6. Call GetOutputList.
  7. If it does not reproduce, repeat steps 3-6 while alternating with 1280x720 at 30000/1001.

Expected Behavior

Both requests return normally. Existing inactive outputs continue to reference valid video state after the video reset.

Actual Behavior

OBS generates an access-violation crash report in GetOutputList

Unhandled exception: c0000005
obs.dll!obs_output_get_width
obs-websocket.dll!Utils::Obs::ArrayHelper::GetOutputList
obs.dll!obs_enum_outputs
obs-websocket.dll!RequestHandler::GetOutputList

The first argument shown for obs_output_get_width was 0x11, consistent with an invalid video_t->parent pointer.

Comment

This issue was almost entirely generated by GPT-5, but it seems to occur quite reliably.

GPT diagnostics

  • The inactive Virtual Camera output is created once in BasicOutputHandler. Raw outputs capture the current obs_get_video() pointer when created in obs-output.c.
  • obs-websocket's SetVideoSettings calls obs_frontend_reset_video(). The reset path frees the existing video state in obs_reset_video, but the inactive Virtual Camera output is not recreated.
  • obs-websocket's GetOutputList enumerates every output and calls obs_output_get_width() and obs_output_get_height().
  • GetVideoSettings reads the main canvas directly and does not enumerate outputs. It consistently succeeded immediately before the crashing GetOutputList call.

This suggests that the inactive raw virtualcam_output retains a stale video pointer after the video core is reset.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions