From ae6ac2a659304b5d580379045f61c179a6f3cb0e Mon Sep 17 00:00:00 2001
From: Albert Sjolund <alberts@axis.com>
Date: Fri, 25 Oct 2024 10:38:36 +0200
Subject: [PATCH] appsrc: Fix use-after-free when making buffer / buffer-lists
 writable

make_writable can cause a reallocation of the buffer, meaning that obj
would point to an invalid object, both for buffer and for bufferlist.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/7803>
---
 subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c b/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c
index c013f5cc09..f8e2d030b4 100644
--- a/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c
+++ b/subprojects/gst-plugins-base/gst-libs/gst/app/gstappsrc.c
@@ -1569,6 +1569,8 @@ gst_app_src_create (GstBaseSrc * bsrc, guint64 offset, guint size,
          * instead of outputting it */
         if (priv->need_discont_downstream) {
           buffer = gst_buffer_make_writable (buffer);
+          /* In case it reallocates the buffer */
+          obj = GST_MINI_OBJECT (buffer);
           GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT);
           priv->need_discont_downstream = FALSE;
         }
@@ -1594,6 +1596,8 @@ gst_app_src_create (GstBaseSrc * bsrc, guint64 offset, guint size,
           GstBuffer *buffer;
 
           buffer_list = gst_buffer_list_make_writable (buffer_list);
+          /* In case it reallocates the bufferlist */
+          obj = GST_MINI_OBJECT (buffer_list);
           buffer = gst_buffer_list_get_writable (buffer_list, 0);
           GST_BUFFER_FLAG_SET (buffer, GST_BUFFER_FLAG_DISCONT);
           priv->need_discont_downstream = FALSE;