glvideomixer: hold extra pad ref while calling parent

Our subsequent cleanup needs a ref on the pad and calling the parent may
release the last reference and could cause a use-after-free.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1187>

diff --git a/ext/gl/gstglvideomixer.c b/ext/gl/gstglvideomixer.c
index 8516286..a08016b 100644 (file)
--- a/ext/gl/gstglvideomixer.c
+++ b/ext/gl/gstglvideomixer.c
@@ -881,7 +881,9 @@ gst_gl_video_mixer_release_pad (GstElement * element, GstPad * p)
   /* we call the base class first as this will remove the pad from
    * the aggregator, thus stopping misc callbacks from being called,
    * one of which (process_textures) will recreate the vertex_buffer
-   * if it is destroyed */
+   * if it is destroyed.  Calling the parent may release the last ref to the pad
+   * so we need to keep the pad alive for the follow up clean up */
+  gst_object_ref (pad);
   GST_ELEMENT_CLASS (g_type_class_peek_parent (G_OBJECT_GET_CLASS (element)))
       ->release_pad (element, p);
 
@@ -891,6 +893,7 @@ gst_gl_video_mixer_release_pad (GstElement * element, GstPad * p)
         _del_buffer, &pad->vertex_buffer);
     pad->vertex_buffer = 0;
   }
+  gst_object_unref (pad);
 }
 
 static void