After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 707536 - collectpads: unref of NULL pointer after pad removal
collectpads: unref of NULL pointer after pad removal
Status: RESOLVED FIXED
Product: GStreamer
Classification: Platform
Component: gstreamer (core)
git master
Other Mac OS
: Normal critical
: 1.0.11
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2013-09-05 06:23 UTC by Zaheer Abbas Merali
Modified: 2013-09-09 10:40 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
patch to fix (521 bytes, patch)
2013-09-05 06:23 UTC, Zaheer Abbas Merali 		committed Details | Review

Description Zaheer Abbas Merali 2013-09-05 06:23:45 UTC 
Created attachment 254155 [details] [review]
patch to fix

If a pad is removed while a collectpads element (say adder) is in a chain function waiting to be collected, there is a possibility that an unref happens on a NULL pointer.

The code below shows the pad_removed label would only be gone to when data is NULL:

    if (G_UNLIKELY ((data = gst_pad_get_element_private (pad)) == NULL))
      goto pad_removed;

Yet in pad_removed, it does a goto unlock_done:

pad_removed:
  {
    GST_WARNING ("%s got removed from collectpads", GST_OBJECT_NAME (pad));
    GST_OBJECT_UNLOCK (pad);
    ret = GST_FLOW_NOT_LINKED;
    goto unlock_done;
  }

And in unlock_done, unref_data is done on data, which in this case is guaranteed to be NULL.
Comment 1 Sebastian Dröge (slomo) 2013-09-05 12:15:57 UTC 
commit d1d99af22973dd379d95fa477097576275ec1394
Author: Zaheer Abbas Merali <zaheermerali@gmail.com>
Date:   Thu Sep 5 14:14:42 2013 +0200

    collectpads: Don't unref NULL GstCollectData
    
    If a pad is removed while a collectpads element (say adder) is in a chain
    function waiting to be collected, there is a possibility that an unref happens
    on a NULL pointer.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=707536
Comment 2 Sebastian Dröge (slomo) 2013-09-05 12:16:08 UTC 
Comment on attachment 254155 [details] [review]
patch to fix

Please in "git format-patch" style next time :)
Comment 3 Tim-Philipp Müller 2013-09-05 16:47:57 UTC 
Should this be picked into 1.0 as well ?
Comment 4 Zaheer Abbas Merali 2013-09-05 16:55:45 UTC 
Yes please!
Comment 5 Sebastian Dröge (slomo) 2013-09-09 10:40:33 UTC 
Cherry-picked into 1.0