From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 16 Aug 2018 09:42:25 +0000 (+0200)
Subject: curlhhtpsrc: avoid invalid memory references
X-Git-Tag: 1.19.3~507^2~4003
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cb16d0b239ef3173bf356a6fe86f30403f285941;p=platform%2Fupstream%2Fgstreamer.git

curlhhtpsrc: avoid invalid memory references

gst_curl_http_src_remove_queue_item() can free qelement and then
we get an invalid memory reference when we do qelement->next a
couple of lines below. Take the next pointer earlier so that we can
safely free.
---

diff --git a/ext/curl/gstcurlhttpsrc.c b/ext/curl/gstcurlhttpsrc.c
index e60ccf5..c1a0bcf 100644
--- a/ext/curl/gstcurlhttpsrc.c
+++ b/ext/curl/gstcurlhttpsrc.c
@@ -1509,7 +1509,7 @@ static void
 gst_curl_http_src_curl_multi_loop (gpointer thread_data)
 {
   GstCurlHttpSrcMultiTaskContext *context;
-  GstCurlHttpSrcQueueElement *qelement;
+  GstCurlHttpSrcQueueElement *qelement, *qnext;
   int i, still_running;
   gboolean cond = FALSE;
   CURLMsg *curl_message;
@@ -1655,6 +1655,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data)
   } else if (context->state == GSTCURL_MULTI_LOOP_STATE_REQUEST_REMOVAL) {
     qelement = context->queue;
     while (qelement != NULL) {
+      qnext = qelement->next;
       if (qelement->p == context->request_removal_element) {
         g_mutex_lock (&qelement->p->buffer_mutex);
         curl_multi_remove_handle (context->multi_handle,
@@ -1668,7 +1669,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data)
         g_mutex_unlock (&qelement->p->buffer_mutex);
         gst_curl_http_src_remove_queue_item (&context->queue, qelement->p);
       }
-      qelement = qelement->next;
+      qelement = qnext;
     }
     context->request_removal_element = NULL;
     context->state = GSTCURL_MULTI_LOOP_STATE_RUNNING;