queue2: fix crash deleting current region for small ring buffers

Ensure we do not attempt to destroy the current range. Doing so
causes the current one to be left dangling, and it may be dereferenced
later, leading to a crash.

This can happen with a very small queue2 ring buffer (10000 bytes)
and 4 kB buffers.

repro case:

gst-launch-1.0 fakesrc sizetype=2 sizemax=4096 ! \
queue2 ring-buffer-max-size=1000 ! fakesink sync=true

https://bugzilla.gnome.org/show_bug.cgi?id=767688
This commit is contained in:
Vincent Penquerc'h 2016-06-15 13:43:59 +01:00 committed by Sebastian Dröge
parent 17ab616653
commit b09fbe0797

View file

@ -1844,6 +1844,9 @@ gst_queue2_create_write (GstQueue2 * queue, GstBuffer * buffer)
guint64 range_data_start, range_data_end; guint64 range_data_start, range_data_end;
GstQueue2Range *range_to_destroy = NULL; GstQueue2Range *range_to_destroy = NULL;
if (range == queue->current)
goto next_range;
range_data_start = range->rb_offset; range_data_start = range->rb_offset;
range_data_end = range->rb_writing_pos; range_data_end = range->rb_writing_pos;