Commit 616d588b authored by Philippe Normand's avatar Philippe Normand 🥑 Committed by Tim-Philipp Müller

bin: Fix use-after-free issue in gst_bin_add()

gst_element_post_message() takes ownership of the message so we need to increase
its refcount until we no longer require access to its data (context_type).

https://bugzilla.gnome.org/show_bug.cgi?id=797099
parent cbd02b95
......@@ -1301,12 +1301,14 @@ no_state_recalc:
s = (GstStructure *) gst_message_get_structure (msg);
gst_structure_get (s, "bin.old.context", GST_TYPE_CONTEXT, &context, NULL);
gst_structure_remove_field (s, "bin.old.context");
gst_element_post_message (GST_ELEMENT_CAST (bin), msg);
/* Keep the msg around while we still need access to the context_type */
gst_element_post_message (GST_ELEMENT_CAST (bin), gst_message_ref (msg));
/* lock to avoid losing a potential write */
GST_OBJECT_LOCK (bin);
replacement =
gst_element_get_context_unlocked (GST_ELEMENT_CAST (bin), context_type);
gst_message_unref (msg);
if (replacement) {
/* we got the context set from GstElement::set_context */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment