From: Matthew Waters <matthew@centricular.com>
Date: Thu, 3 Jun 2021 05:57:39 +0000 (+1000)
Subject: glvideomixer: hold extra pad ref while calling parent
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=3bbcfe9c23e7f4c80a26ef38564e88ed99733d75;p=platform%2Fupstream%2Fgst-plugins-base.git

glvideomixer: hold extra pad ref while calling parent

Our subsequent cleanup needs a ref on the pad and calling the parent may
release the last reference and could cause a use-after-free.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/1187>
---

diff --git a/ext/gl/gstglvideomixer.c b/ext/gl/gstglvideomixer.c
index 8516286..a08016b 100644
--- a/ext/gl/gstglvideomixer.c
+++ b/ext/gl/gstglvideomixer.c
@@ -881,7 +881,9 @@ gst_gl_video_mixer_release_pad (GstElement * element, GstPad * p)
   /* we call the base class first as this will remove the pad from
    * the aggregator, thus stopping misc callbacks from being called,
    * one of which (process_textures) will recreate the vertex_buffer
-   * if it is destroyed */
+   * if it is destroyed.  Calling the parent may release the last ref to the pad
+   * so we need to keep the pad alive for the follow up clean up */
+  gst_object_ref (pad);
   GST_ELEMENT_CLASS (g_type_class_peek_parent (G_OBJECT_GET_CLASS (element)))
       ->release_pad (element, p);
 
@@ -891,6 +893,7 @@ gst_gl_video_mixer_release_pad (GstElement * element, GstPad * p)
         _del_buffer, &pad->vertex_buffer);
     pad->vertex_buffer = 0;
   }
+  gst_object_unref (pad);
 }
 
 static void