appsrc: Fix use-after-free when making buffer / buffer-lists writable

make_writable can cause a reallocation of the buffer, meaning that obj
would point to an invalid object, both for buffer and for bufferlist.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7806>

diff --git a/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c b/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c
index 32e35d6ebb73a2e3992b1a2beb7f66831bf05fae..bca4e1b5d1b79e88a67bd002320bf21ff2ad22cb 100644 (file)
--- a/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c
@@ -1569,6 +1569,8 @@ gst_app_src_create (GstBaseSrc * bsrc, guint64 offset, guint size,
          * instead of outputting it */
         if (priv->need_discont_downstream) {
           buffer = gst_buffer_make_writable (buffer);
+          /* In case it reallocates the buffer */
+          obj = GST_MINI_OBJECT (buffer);
           GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT);
           priv->need_discont_downstream = FALSE;
         }
@@ -1594,6 +1596,8 @@ gst_app_src_create (GstBaseSrc * bsrc, guint64 offset, guint size,
           GstBuffer *buffer;
 
           buffer_list = gst_buffer_list_make_writable (buffer_list);
+          /* In case it reallocates the bufferlist */
+          obj = GST_MINI_OBJECT (buffer_list);
           buffer = gst_buffer_list_get_writable (buffer_list, 0);
           GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT);
           priv->need_discont_downstream = FALSE;