From 7d2300efa1c57220ceb962f9385e1d66c6b1168c Mon Sep 17 00:00:00 2001
From: Matthew Waters <matthew@centricular.com>
Date: Fri, 10 Mar 2023 16:47:17 +1100
Subject: [PATCH] vulkanoverlaycompositor: don't do a potential use after free

Removing a meta from a buffer means one doesn't have access to it
anymore.  Instead use the already reffed composition directly.

Fixes a use-after-free in the following pipeline:

... ! vulkanupload ! timeoverlay ! vulkanoverlaycompositor ! ...

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4147>
---
 subprojects/gst-plugins-bad/ext/vulkan/vkoverlaycompositor.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/subprojects/gst-plugins-bad/ext/vulkan/vkoverlaycompositor.c b/subprojects/gst-plugins-bad/ext/vulkan/vkoverlaycompositor.c
index dc405df..5908a57 100644
--- a/subprojects/gst-plugins-bad/ext/vulkan/vkoverlaycompositor.c
+++ b/subprojects/gst-plugins-bad/ext/vulkan/vkoverlaycompositor.c
@@ -729,6 +729,7 @@ gst_vulkan_overlay_compositor_transform_ip (GstBaseTransform * bt,
 
   comp = gst_video_overlay_composition_ref (ometa->overlay);
   gst_buffer_remove_meta (buffer, (GstMeta *) ometa);
+  ometa = NULL;
 
   n = gst_video_overlay_composition_n_rectangles (comp);
   if (n == 0) {
@@ -765,7 +766,7 @@ gst_vulkan_overlay_compositor_transform_ip (GstBaseTransform * bt,
     struct vk_overlay *over =
         &g_array_index (vk_overlay->overlays, struct vk_overlay, i);
 
-    if (!overlay_in_rectangles (over, ometa->overlay)) {
+    if (!overlay_in_rectangles (over, comp)) {
       g_array_remove_index (vk_overlay->overlays, i);
       continue;
     }
-- 
2.7.4