From a4d900332bae1648c034b827ac0eefbf87faaee6 Mon Sep 17 00:00:00 2001
From: Matthew Waters <matthew@centricular.com>
Date: Fri, 29 May 2020 22:21:10 +1000
Subject: [PATCH] vulkanimagememory: fix use-after-free releasing a view

If the view has the last reference to the image, then
gst_clear_mini_object will destroy the image and the lock used in the
next line.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1314>
---
 gst-libs/gst/vulkan/gstvkimagememory.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gst-libs/gst/vulkan/gstvkimagememory.c b/gst-libs/gst/vulkan/gstvkimagememory.c
index 711df1c..49c0bd6 100644
--- a/gst-libs/gst/vulkan/gstvkimagememory.c
+++ b/gst-libs/gst/vulkan/gstvkimagememory.c
@@ -549,6 +549,7 @@ gst_vulkan_image_memory_release_view (GstVulkanImageMemory * image,
   guint index;
 
   g_return_if_fail (gst_is_vulkan_image_memory (GST_MEMORY_CAST (image)));
+  g_return_if_fail (image == view->image);
 
   g_mutex_lock (&image->lock);
   GST_CAT_TRACE (GST_CAT_VULKAN_IMAGE_MEMORY, "image %p removing view %p",
@@ -561,8 +562,9 @@ gst_vulkan_image_memory_release_view (GstVulkanImageMemory * image,
     g_warning ("GstVulkanImageMemory:%p attempt to remove a view %p "
         "that we do not own", image, view);
   }
-  gst_clear_mini_object ((GstMiniObject **) & view->image);
+  view->image = NULL;
   g_mutex_unlock (&image->lock);
+  gst_memory_unref ((GstMemory *) image);
 }
 
 /**
-- 
2.7.4