From 029e01743f8786c23197d9697b89e9bc3eacfdf3 Mon Sep 17 00:00:00 2001
From: Matthew Waters <matthew@centricular.com>
Date: Thu, 24 Aug 2017 18:00:41 +1000
Subject: [PATCH] srtp: zero out session member on dealloc

Fixes a user-after-free retrieving stats from _get_property()
---
 ext/srtp/gstsrtpdec.c | 4 +++-
 ext/srtp/gstsrtpenc.c | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/ext/srtp/gstsrtpdec.c b/ext/srtp/gstsrtpdec.c
index e1be70e0a2..4ad989fb29 100644
--- a/ext/srtp/gstsrtpdec.c
+++ b/ext/srtp/gstsrtpdec.c
@@ -777,8 +777,10 @@ gst_srtp_dec_clear_streams (GstSrtpDec * filter)
 
   GST_OBJECT_LOCK (filter);
 
-  if (!filter->first_session)
+  if (!filter->first_session) {
     srtp_dealloc (filter->session);
+    filter->session = NULL;
+  }
 
   if (filter->streams)
     nb = g_hash_table_foreach_remove (filter->streams, remove_yes, NULL);
diff --git a/ext/srtp/gstsrtpenc.c b/ext/srtp/gstsrtpenc.c
index ff17fd03f7..893ece8be3 100644
--- a/ext/srtp/gstsrtpenc.c
+++ b/ext/srtp/gstsrtpenc.c
@@ -447,8 +447,10 @@ gst_srtp_enc_create_session (GstSrtpEnc * filter)
 static void
 gst_srtp_enc_reset_no_lock (GstSrtpEnc * filter)
 {
-  if (!filter->first_session)
+  if (!filter->first_session) {
     srtp_dealloc (filter->session);
+    filter->session = NULL;
+  }
 
   filter->first_session = TRUE;
   filter->key_changed = FALSE;