decodebin2: fix use after free from demuxer flush pad probe

In some cases, we could get a flush-stop event after the chain structure
containing the demuxer was freed.

https://bugzilla.gnome.org/show_bug.cgi?id=782095
This commit is contained in:
Vincent Penquerc'h 2017-05-03 16:02:19 +01:00
parent 0be4504b10
commit b97cbe678f

View file

@ -445,6 +445,7 @@ struct _GstDecodeChain
GMutex lock; /* Protects this chain and its groups */ GMutex lock; /* Protects this chain and its groups */
GstPad *pad; /* srcpad that caused creation of this chain */ GstPad *pad; /* srcpad that caused creation of this chain */
gulong pad_probe_id; /* id for the demuxer_source_pad_probe probe */
gboolean drained; /* TRUE if the all children are drained */ gboolean drained; /* TRUE if the all children are drained */
gboolean demuxer; /* TRUE if elements->data is a demuxer */ gboolean demuxer; /* TRUE if elements->data is a demuxer */
@ -2086,7 +2087,8 @@ connect_pad (GstDecodeBin * dbin, GstElement * src, GstDecodePad * dpad,
GST_OBJECT_NAME (chain->parent->multiqueue)); GST_OBJECT_NAME (chain->parent->multiqueue));
/* Set a flush-start/-stop probe on the downstream events */ /* Set a flush-start/-stop probe on the downstream events */
gst_pad_add_probe (pad, GST_PAD_PROBE_TYPE_EVENT_FLUSH, chain->pad_probe_id =
gst_pad_add_probe (pad, GST_PAD_PROBE_TYPE_EVENT_FLUSH,
demuxer_source_pad_probe, chain->parent, NULL); demuxer_source_pad_probe, chain->parent, NULL);
decode_pad_set_target (dpad, NULL); decode_pad_set_target (dpad, NULL);
@ -4069,6 +4071,11 @@ drain_and_switch_chains (GstDecodeChain * chain, GstDecodePad * drainpad,
CHAIN_MUTEX_LOCK (chain); CHAIN_MUTEX_LOCK (chain);
if (chain->pad_probe_id) {
gst_pad_remove_probe (chain->pad, chain->pad_probe_id);
chain->pad_probe_id = 0;
}
/* Definitely can't be in drained chains */ /* Definitely can't be in drained chains */
if (G_UNLIKELY (chain->drained)) { if (G_UNLIKELY (chain->drained)) {
goto beach; goto beach;