From babd066b894fc3694693a2abb3cd0d8c6a66992e Mon Sep 17 00:00:00 2001 From: Matthew Waters Date: Fri, 13 Nov 2015 16:50:22 +1100 Subject: [PATCH] glshader: don't read invalid list pointers (use after free) gst_gl_shader_detach_unlocked already removes the list entry so attempting to use the element to iterate to the next stage could read invalid data. Based on patch by Vineeth TM https://bugzilla.gnome.org/show_bug.cgi?id=758039 --- gst-libs/gst/gl/gstglshader.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/gst-libs/gst/gl/gstglshader.c b/gst-libs/gst/gl/gstglshader.c index 218c0a8f54..05b4cafece 100644 --- a/gst-libs/gst/gl/gstglshader.c +++ b/gst-libs/gst/gl/gstglshader.c @@ -668,10 +668,12 @@ gst_gl_shader_release_unlocked (GstGLShader * shader) priv = shader->priv; - for (elem = shader->priv->stages; elem; elem = elem->next) { + for (elem = shader->priv->stages; elem;) { GstGLSLStage *stage = elem->data; + GList *next = elem->next; gst_gl_shader_detach_unlocked (shader, stage); + elem = next; } g_list_free_full (shader->priv->stages, (GDestroyNotify) gst_object_unref);