From: Matthew Waters <matthew@centricular.com>
Date: Fri, 13 Nov 2015 05:50:22 +0000 (+1100)
Subject: glshader: don't read invalid list pointers (use after free)
X-Git-Tag: 1.19.3~507^2~7584
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=babd066b894fc3694693a2abb3cd0d8c6a66992e;p=platform%2Fupstream%2Fgstreamer.git

glshader: don't read invalid list pointers (use after free)

gst_gl_shader_detach_unlocked already removes the list entry so attempting to
use the element to iterate to the next stage could read invalid data.

Based on patch by Vineeth TM <vineeth.tm@samsung.com>

https://bugzilla.gnome.org/show_bug.cgi?id=758039
---

diff --git a/gst-libs/gst/gl/gstglshader.c b/gst-libs/gst/gl/gstglshader.c
index 218c0a8..05b4caf 100644
--- a/gst-libs/gst/gl/gstglshader.c
+++ b/gst-libs/gst/gl/gstglshader.c
@@ -668,10 +668,12 @@ gst_gl_shader_release_unlocked (GstGLShader * shader)
 
   priv = shader->priv;
 
-  for (elem = shader->priv->stages; elem; elem = elem->next) {
+  for (elem = shader->priv->stages; elem;) {
     GstGLSLStage *stage = elem->data;
+    GList *next = elem->next;
 
     gst_gl_shader_detach_unlocked (shader, stage);
+    elem = next;
   }
 
   g_list_free_full (shader->priv->stages, (GDestroyNotify) gst_object_unref);