From b09fbe0797d4982e8ac88091e4fc072ae529a9dc Mon Sep 17 00:00:00 2001 From: Vincent Penquerc'h Date: Wed, 15 Jun 2016 13:43:59 +0100 Subject: [PATCH] queue2: fix crash deleting current region for small ring buffers Ensure we do not attempt to destroy the current range. Doing so causes the current one to be left dangling, and it may be dereferenced later, leading to a crash. This can happen with a very small queue2 ring buffer (10000 bytes) and 4 kB buffers. repro case: gst-launch-1.0 fakesrc sizetype=2 sizemax=4096 ! \ queue2 ring-buffer-max-size=1000 ! fakesink sync=true https://bugzilla.gnome.org/show_bug.cgi?id=767688 --- plugins/elements/gstqueue2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/plugins/elements/gstqueue2.c b/plugins/elements/gstqueue2.c index a69c9092b1..35c98cebc7 100644 --- a/plugins/elements/gstqueue2.c +++ b/plugins/elements/gstqueue2.c @@ -1844,6 +1844,9 @@ gst_queue2_create_write (GstQueue2 * queue, GstBuffer * buffer) guint64 range_data_start, range_data_end; GstQueue2Range *range_to_destroy = NULL; + if (range == queue->current) + goto next_range; + range_data_start = range->rb_offset; range_data_end = range->rb_writing_pos;