From 538e82c6f7ff8f2652651d6201c32f27b0ae3a62 Mon Sep 17 00:00:00 2001
From: Alessandro Decina <alessandro.decina@collabora.co.uk>
Date: Mon, 5 Jul 2010 13:01:53 +0200
Subject: [PATCH] clock: fix refcounting bug in gst_clock_set_master.

Make sure clock->clockid is unreffed before clock->master.
gst_clock_id_unschedule (clock->clockid) tries to access clock->master. If
clock->master is unreffed before and it's deallocated, _unschedule could access
free'd memory.
---
 gst/gstclock.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/gst/gstclock.c b/gst/gstclock.c
index ccc928b3f6..1c4765d43a 100644
--- a/gst/gstclock.c
+++ b/gst/gstclock.c
@@ -1078,11 +1078,8 @@ gst_clock_set_master (GstClock * clock, GstClock * master)
   /* we always allow setting the master to NULL */
   if (master && !GST_OBJECT_FLAG_IS_SET (clock, GST_CLOCK_FLAG_CAN_SET_MASTER))
     goto not_supported;
-
   GST_CAT_DEBUG_OBJECT (GST_CAT_CLOCK, clock,
       "slaving %p to master clock %p", clock, master);
-  master_p = &clock->master;
-  gst_object_replace ((GstObject **) master_p, (GstObject *) master);
   GST_OBJECT_UNLOCK (clock);
 
   GST_CLOCK_SLAVE_LOCK (clock);
@@ -1103,6 +1100,11 @@ gst_clock_set_master (GstClock * clock, GstClock * master)
   }
   GST_CLOCK_SLAVE_UNLOCK (clock);
 
+  GST_OBJECT_LOCK (clock);
+  master_p = &clock->master;
+  gst_object_replace ((GstObject **) master_p, (GstObject *) master);
+  GST_OBJECT_UNLOCK (clock);
+
   return TRUE;
 
   /* ERRORS */