bin: Fix use-after-free issue in gst_bin_add()

gst_element_post_message() takes ownership of the message so we need to increase its refcount until we no longer require access to its data (context_type). https://bugzilla.gnome.org/show_bug.cgi?id=797099
author: Philippe Normand <philn@igalia.com> 2018-09-08 13:05:13 +0100
committer: Tim-Philipp Müller <tim@centricular.com> 2018-09-08 19:15:41 +0100
commit: 616d588b52ec44ffb0c522a029ed9c99ae6f6bd0 (patch)
tree: f3695f175d25070a026745ec599a7bf020824dba
parent: cbd02b95840f81152796d24ed4a619e115aa0797 (diff)
download: gstreamer-616d588b52ec44ffb0c522a029ed9c99ae6f6bd0.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/gst/gstbin.c b/gst/gstbin.c
index 96a0c9d753..e5d4ecd4c4 100644
--- a/gst/gstbin.c
+++ b/gst/gstbin.c
@@ -1301,12 +1301,14 @@ no_state_recalc:
     s = (GstStructure *) gst_message_get_structure (msg);
     gst_structure_get (s, "bin.old.context", GST_TYPE_CONTEXT, &context, NULL);
     gst_structure_remove_field (s, "bin.old.context");
-    gst_element_post_message (GST_ELEMENT_CAST (bin), msg);
+    /* Keep the msg around while we still need access to the context_type */
+    gst_element_post_message (GST_ELEMENT_CAST (bin), gst_message_ref (msg));
 
     /* lock to avoid losing a potential write */
     GST_OBJECT_LOCK (bin);
     replacement =
         gst_element_get_context_unlocked (GST_ELEMENT_CAST (bin), context_type);
+    gst_message_unref (msg);
 
     if (replacement) {
       /* we got the context set from GstElement::set_context */
author	Philippe Normand <philn@igalia.com>	2018-09-08 13:05:13 +0100
committer	Tim-Philipp Müller <tim@centricular.com>	2018-09-08 19:15:41 +0100
commit	616d588b52ec44ffb0c522a029ed9c99ae6f6bd0 (patch)
tree	f3695f175d25070a026745ec599a7bf020824dba
parent	cbd02b95840f81152796d24ed4a619e115aa0797 (diff)
download	gstreamer-616d588b52ec44ffb0c522a029ed9c99ae6f6bd0.tar.gz