We've seen occasional crashes in the `wavparse` module associated with
referencing a buffer in `gst_wavparse_chain` that's already been freed. The
reference is stolen when the buffer is transferred to the adapter with
`gst_adapter_push` and, IIUC, assuming the source doesn't hold a reference to
the buffer, the buffer could be freed during interaction with the adapter in
`gst_wavparse_stream_headers`.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3179>
GST_LOG_OBJECT (wav, "adapter_push %" G_GSIZE_FORMAT " bytes",
gst_buffer_get_size (buf));
+ /* Hold a reference to the buffer, as we access buffer properties in the
+ `GST_WAVPARSE_DATA` case below and `gst_adapter_push` steals a reference
+ to the buffer. */
+ gst_buffer_ref (buf);
+
gst_adapter_push (wav->adapter, buf);
switch (wav->state) {
goto done;
break;
default:
- g_return_val_if_reached (GST_FLOW_ERROR);
+ g_assert_not_reached ();
}
done:
if (G_UNLIKELY (wav->abort_buffering)) {
GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ("unhandled buffer size"));
}
+ gst_buffer_unref (buf);
+
return ret;
}