bin: Fix use-after-free issue in gst_bin_add()

author Philippe Normand <philn@igalia.com>

Sat, 8 Sep 2018 12:05:13 +0000 (13:05 +0100)

committer Tim-Philipp Müller <tim@centricular.com>

Sat, 8 Sep 2018 18:15:41 +0000 (19:15 +0100)
author Philippe Normand <philn@igalia.com>
Sat, 8 Sep 2018 12:05:13 +0000 (13:05 +0100)
committer Tim-Philipp Müller <tim@centricular.com>
Sat, 8 Sep 2018 18:15:41 +0000 (19:15 +0100)
diff --git a/gst/gstbin.c b/gst/gstbin.c

index 96a0c9d..e5d4ecd 100644 (file)
--- a/gst/gstbin.c
+++ b/gst/gstbin.c
@@ -1301,12 +1301,14 @@ no_state_recalc:
      s = (GstStructure *) gst_message_get_structure (msg);
      gst_structure_get (s, "bin.old.context", GST_TYPE_CONTEXT, &context, NULL);
      gst_structure_remove_field (s, "bin.old.context");
-    gst_element_post_message (GST_ELEMENT_CAST (bin), msg);
+    /* Keep the msg around while we still need access to the context_type */
+    gst_element_post_message (GST_ELEMENT_CAST (bin), gst_message_ref (msg));
  
      /* lock to avoid losing a potential write */
      GST_OBJECT_LOCK (bin);
      replacement =
          gst_element_get_context_unlocked (GST_ELEMENT_CAST (bin), context_type);
+    gst_message_unref (msg);
  
      if (replacement) {
        /* we got the context set from GstElement::set_context */
author	Philippe Normand <philn@igalia.com>
	Sat, 8 Sep 2018 12:05:13 +0000 (13:05 +0100)
committer	Tim-Philipp Müller <tim@centricular.com>
	Sat, 8 Sep 2018 18:15:41 +0000 (19:15 +0100)