GNOME Bugzilla – Bug 633970
[icydemux] broken taglist handling
Last modified: 2010-11-04 09:36:37 UTC
This code in icydemux: if (GST_EVENT_TYPE (event) == GST_EVENT_TAG) { GstTagList *tags; gst_event_parse_tag (event, &tags); gst_event_unref (event); return gst_icydemux_tag_found (icydemux, tags); } uses the taglist after it has been freed, resulting in a critical error during normal ice/shoutcast stream playback. gst_event_parse_tag does not return a copy of the taglist, it returns a pointer to the taglist owned by the event.
Created attachment 173813 [details] [review] simple fix
Comment on attachment 173813 [details] [review] simple fix The patch looks good and should get into this release. Note that gst_icydemux_tag_found() takes a copy of the taglist internally, different than gst_element_found_tags() for example, so this patch is really correct.
Nice catch, and just in time. Thanks! commit 5b68b64617f08939e2b14a0ad88e1996504c544d Author: Jonathan Matthew <jonathan@d14n.org> Date: Thu Nov 4 16:42:07 2010 +1000 icydemux: fix use-after-free of taglist Broken by commit 4c2f5333 (bug #630205). https://bugzilla.gnome.org/show_bug.cgi?id=633970