openh264dec: Potential memory corruption when writing output buffers
This comes from @mcatanzaro, when browsing with Epiphany TP on wunderground.com
I wasn't able to reproduce it yet with gst-play-1.0
, so the issue is not confirmed to be a bug in GStreamer, but while reading the backtrace, thread 41 in particular led me to read the code of gst_openh264dec_handle_frame()
, specially towards the end when writing the frame output buffer.
We allocate the output frame and then map it to write the YUV data. The doc of gst_video_decoder_allocate_output_frame()
specifies the output buffer "is owned by the frame and you should only keep references to the frame, not the buffer" but IIUC we do ref the buffer when mapping it with gst_video_frame_map()
. Shouldn't we use the GST_VIDEO_FRAME_MAP_FLAG_NO_REF
when mapping the video-frame?
Also, when un-maping, we unmap the codec state and then the frame. Shouldn't this order be reversed?