From: Philippe Normand <philn@igalia.com>
Date: Sat, 8 Sep 2018 12:05:13 +0000 (+0100)
Subject: bin: Fix use-after-free issue in gst_bin_add()
X-Git-Tag: 1.16.2~277
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=616d588b52ec44ffb0c522a029ed9c99ae6f6bd0;p=platform%2Fupstream%2Fgstreamer.git

bin: Fix use-after-free issue in gst_bin_add()

gst_element_post_message() takes ownership of the message so we need to increase
its refcount until we no longer require access to its data (context_type).

https://bugzilla.gnome.org/show_bug.cgi?id=797099
---

diff --git a/gst/gstbin.c b/gst/gstbin.c
index 96a0c9d..e5d4ecd 100644
--- a/gst/gstbin.c
+++ b/gst/gstbin.c
@@ -1301,12 +1301,14 @@ no_state_recalc:
     s = (GstStructure *) gst_message_get_structure (msg);
     gst_structure_get (s, "bin.old.context", GST_TYPE_CONTEXT, &context, NULL);
     gst_structure_remove_field (s, "bin.old.context");
-    gst_element_post_message (GST_ELEMENT_CAST (bin), msg);
+    /* Keep the msg around while we still need access to the context_type */
+    gst_element_post_message (GST_ELEMENT_CAST (bin), gst_message_ref (msg));
 
     /* lock to avoid losing a potential write */
     GST_OBJECT_LOCK (bin);
     replacement =
         gst_element_get_context_unlocked (GST_ELEMENT_CAST (bin), context_type);
+    gst_message_unref (msg);
 
     if (replacement) {
       /* we got the context set from GstElement::set_context */