Removing a meta from a buffer means one doesn't have access to it
anymore. Instead use the already reffed composition directly.
Fixes a use-after-free in the following pipeline:
... ! vulkanupload ! timeoverlay ! vulkanoverlaycompositor ! ...
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4147>
comp = gst_video_overlay_composition_ref (ometa->overlay);
gst_buffer_remove_meta (buffer, (GstMeta *) ometa);
comp = gst_video_overlay_composition_ref (ometa->overlay);
gst_buffer_remove_meta (buffer, (GstMeta *) ometa);
n = gst_video_overlay_composition_n_rectangles (comp);
if (n == 0) {
n = gst_video_overlay_composition_n_rectangles (comp);
if (n == 0) {
struct vk_overlay *over =
&g_array_index (vk_overlay->overlays, struct vk_overlay, i);
struct vk_overlay *over =
&g_array_index (vk_overlay->overlays, struct vk_overlay, i);
- if (!overlay_in_rectangles (over, ometa->overlay)) {
+ if (!overlay_in_rectangles (over, comp)) {
g_array_remove_index (vk_overlay->overlays, i);
continue;
}
g_array_remove_index (vk_overlay->overlays, i);
continue;
}