wavparse: Avoid occasional crash due to referencing freed buffer.

We've seen occasional crashes in the `wavparse` module associated with
referencing a buffer in `gst_wavparse_chain` that's already been freed.  The
reference is stolen when the buffer is transferred to the adapter with
`gst_adapter_push` and, IIUC, assuming the source doesn't hold a reference to
the buffer, the buffer could be freed during interaction with the adapter in
`gst_wavparse_stream_headers`.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3179>

diff --git a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
index 3f3e192..677d2e5 100644 (file)
--- a/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
+++ b/subprojects/gst-plugins-good/gst/wavparse/gstwavparse.c
@@ -2333,6 +2333,11 @@ gst_wavparse_chain (GstPad * pad, GstObject * parent, GstBuffer * buf)
   GST_LOG_OBJECT (wav, "adapter_push %" G_GSIZE_FORMAT " bytes",
       gst_buffer_get_size (buf));
 
+  /* Hold a reference to the buffer, as we access buffer properties in the
+     `GST_WAVPARSE_DATA` case below and `gst_adapter_push` steals a reference
+     to the buffer. */
+  gst_buffer_ref (buf);
+
   gst_adapter_push (wav->adapter, buf);
 
   switch (wav->state) {
@@ -2364,7 +2369,7 @@ gst_wavparse_chain (GstPad * pad, GstObject * parent, GstBuffer * buf)
         goto done;
       break;
     default:
-      g_return_val_if_reached (GST_FLOW_ERROR);
+      g_assert_not_reached ();
   }
 done:
   if (G_UNLIKELY (wav->abort_buffering)) {
@@ -2374,6 +2379,8 @@ done:
     GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ("unhandled buffer size"));
   }
 
+  gst_buffer_unref (buf);
+
   return ret;
 }