clock: fix refcounting bug in gst_clock_set_master.

Make sure clock->clockid is unreffed before clock->master.
gst_clock_id_unschedule (clock->clockid) tries to access clock->master. If
clock->master is unreffed before and it's deallocated, _unschedule could access
free'd memory.

diff --git a/gst/gstclock.c b/gst/gstclock.c
index ccc928b..1c4765d 100644 (file)
--- a/gst/gstclock.c
+++ b/gst/gstclock.c
@@ -1078,11 +1078,8 @@ gst_clock_set_master (GstClock * clock, GstClock * master)
   /* we always allow setting the master to NULL */
   if (master && !GST_OBJECT_FLAG_IS_SET (clock, GST_CLOCK_FLAG_CAN_SET_MASTER))
     goto not_supported;
-
   GST_CAT_DEBUG_OBJECT (GST_CAT_CLOCK, clock,
       "slaving %p to master clock %p", clock, master);
-  master_p = &clock->master;
-  gst_object_replace ((GstObject **) master_p, (GstObject *) master);
   GST_OBJECT_UNLOCK (clock);
 
   GST_CLOCK_SLAVE_LOCK (clock);
@@ -1103,6 +1100,11 @@ gst_clock_set_master (GstClock * clock, GstClock * master)
   }
   GST_CLOCK_SLAVE_UNLOCK (clock);
 
+  GST_OBJECT_LOCK (clock);
+  master_p = &clock->master;
+  gst_object_replace ((GstObject **) master_p, (GstObject *) master);
+  GST_OBJECT_UNLOCK (clock);
+
   return TRUE;
 
   /* ERRORS */