GNOME Bugzilla – Bug 771649
gst_bin_sort_iterator_copy doesn't copy GstBinSortIterator::queue
Last modified: 2016-09-30 10:49:40 UTC
I send you this bug report and patch made by Kouhei Sutou <kou@clear-code.com> from the Ruby-GNOME2 project. fix a bug that GstBinSortIterator's copy gst_bin_sort_iterator_copy() doesn't copy GstBinSortIterator::queue. It copies only addresses of internal lists. It means that queue is shared with copy source GstBinSortIterator. If the source GstSortIterator is freed, the destination GstBinSortIterator's queue is invalid. Process is crashed by calling gst_iterator_next() with the destination GstBinSortIterator after the source GstBinSortIterator is freed because the destination GstBinSortIterator's queue is invalid. diff --git a/gst/gstbin.c b/gst/gstbin.c index a76810e..28bae67 100644 --- a/gst/gstbin.c +++ b/gst/gstbin.c @@ -2135,14 +2135,24 @@ typedef struct _GstBinSortIterator } GstBinSortIterator; static void +copy_to_queue (gpointer data, gpointer user_data) +{ + GstElement *element = data; + GQueue *queue = user_data; + + gst_object_ref (element); + g_queue_push_tail (queue, element); +} + +static void gst_bin_sort_iterator_copy (const GstBinSortIterator * it, GstBinSortIterator * copy) { GHashTableIter iter; gpointer key, value; - copy->queue = it->queue; - g_queue_foreach (©->queue, (GFunc) gst_object_ref, NULL); + g_queue_init (©->queue); + g_queue_foreach (&it->queue, copy_to_queue, ©->queue); copy->bin = gst_object_ref (it->bin); if (it->best) -- 2.9.3 Regards
commit a43de49d522178d592c44149fd284418e8314336 Author: Kouhei Sutou <kou@clear-code.com> Date: Mon Sep 19 10:04:55 2016 -0400 bin: When copying the sort iterator, also copy its internal queue Otherwise both iterators share the same references, the second one usually resulting in a crash when being freed. https://bugzilla.gnome.org/show_bug.cgi?id=771649