appsrc: Fix use-after-free when making buffer / buffer-lists writable

make_writable can cause a reallocation of the buffer, meaning that obj
would point to an invalid object, both for buffer and for bufferlist.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7806>
This commit is contained in:
Albert Sjolund 2024-10-25 10:38:36 +02:00 committed by Backport Bot
parent 2e198d4e59
commit 6575d1de8e

View file

@ -1569,6 +1569,8 @@ gst_app_src_create (GstBaseSrc * bsrc, guint64 offset, guint size,
* instead of outputting it */ * instead of outputting it */
if (priv->need_discont_downstream) { if (priv->need_discont_downstream) {
buffer = gst_buffer_make_writable (buffer); buffer = gst_buffer_make_writable (buffer);
/* In case it reallocates the buffer */
obj = GST_MINI_OBJECT (buffer);
GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT); GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT);
priv->need_discont_downstream = FALSE; priv->need_discont_downstream = FALSE;
} }
@ -1594,6 +1596,8 @@ gst_app_src_create (GstBaseSrc * bsrc, guint64 offset, guint size,
GstBuffer *buffer; GstBuffer *buffer;
buffer_list = gst_buffer_list_make_writable (buffer_list); buffer_list = gst_buffer_list_make_writable (buffer_list);
/* In case it reallocates the bufferlist */
obj = GST_MINI_OBJECT (buffer_list);
buffer = gst_buffer_list_get_writable (buffer_list, 0); buffer = gst_buffer_list_get_writable (buffer_list, 0);
GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT); GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT);
priv->need_discont_downstream = FALSE; priv->need_discont_downstream = FALSE;