GNOME Bugzilla – Bug 776125
fix an use after free in gst_base_sink_send_event()
Last modified: 2017-11-02 22:38:08 UTC
Created attachment 342006 [details] [review] Hold a reference on the event until the debug macro is called. Hi! I noticed with the address sanitizer a case where the event may be disposed while being pushed. When this happens, the event cannot be used in the GST_DEBUG_OBJECT() macro a couple of line later.
Review of attachment 342006 [details] [review]: ::: libs/gst/base/gstbasesink.c @@ +4504,2 @@ GST_DEBUG_OBJECT (basesink, "handled event %p %" GST_PTR_FORMAT ": %d", event, event, result); The nicer solution would be, to move this debug output before the gst_pad_push() (without the result of course, and saying "sending" instead of "handled"). And then having another here that just says "handled event: %", result That way the event is possibly writeable by downstream and we don't keep another reference to it
Let me know if you want to update the patch, or if you'd prefer me or someone else to work on this. Thanks :)
Created attachment 342088 [details] [review] basesink: fix a use after free case This is an update of my patch, that splits the GST_DEBUG_OBJECT() message in two parts as suggested. Thanks for the review.
Comment on attachment 342088 [details] [review] basesink: fix a use after free case Pushed this to master now, thanks!