wavparse: Avoid occasional crash due to referencing freed buffer.

We've seen occasional crashes in the `wavparse` module associated with
referencing a buffer in `gst_wavparse_chain` that's already been freed.  The
reference is stolen when the buffer is transferred to the adapter with
`gst_adapter_push` and, IIUC, assuming the source doesn't hold a reference to
the buffer, the buffer could be freed during interaction with the adapter in
`gst_wavparse_stream_headers`.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3181>
This commit is contained in:
Devin Anderson 2022-10-14 01:23:04 +00:00 committed by Tim-Philipp Müller
parent 80de451c06
commit 3286e0942f

View file

@ -2333,6 +2333,11 @@ gst_wavparse_chain (GstPad * pad, GstObject * parent, GstBuffer * buf)
GST_LOG_OBJECT (wav, "adapter_push %" G_GSIZE_FORMAT " bytes",
gst_buffer_get_size (buf));
/* Hold a reference to the buffer, as we access buffer properties in the
`GST_WAVPARSE_DATA` case below and `gst_adapter_push` steals a reference
to the buffer. */
gst_buffer_ref (buf);
gst_adapter_push (wav->adapter, buf);
switch (wav->state) {
@ -2364,7 +2369,7 @@ gst_wavparse_chain (GstPad * pad, GstObject * parent, GstBuffer * buf)
goto done;
break;
default:
g_return_val_if_reached (GST_FLOW_ERROR);
g_assert_not_reached ();
}
done:
if (G_UNLIKELY (wav->abort_buffering)) {
@ -2374,6 +2379,8 @@ done:
GST_ELEMENT_ERROR (wav, STREAM, DEMUX, (NULL), ("unhandled buffer size"));
}
gst_buffer_unref (buf);
return ret;
}