glshader: don't read invalid list pointers (use after free)

gst_gl_shader_detach_unlocked already removes the list entry so attempting to
use the element to iterate to the next stage could read invalid data.

Based on patch by Vineeth TM <vineeth.tm@samsung.com>

https://bugzilla.gnome.org/show_bug.cgi?id=758039

diff --git a/gst-libs/gst/gl/gstglshader.c b/gst-libs/gst/gl/gstglshader.c
index 218c0a8..05b4caf 100644 (file)
--- a/gst-libs/gst/gl/gstglshader.c
+++ b/gst-libs/gst/gl/gstglshader.c
@@ -668,10 +668,12 @@ gst_gl_shader_release_unlocked (GstGLShader * shader)
 
   priv = shader->priv;
 
-  for (elem = shader->priv->stages; elem; elem = elem->next) {
+  for (elem = shader->priv->stages; elem;) {
     GstGLSLStage *stage = elem->data;
+    GList *next = elem->next;
 
     gst_gl_shader_detach_unlocked (shader, stage);
+    elem = next;
   }
 
   g_list_free_full (shader->priv->stages, (GDestroyNotify) gst_object_unref);