From cb16d0b239ef3173bf356a6fe86f30403f285941 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Thu, 16 Aug 2018 11:42:25 +0200 Subject: [PATCH] curlhhtpsrc: avoid invalid memory references gst_curl_http_src_remove_queue_item() can free qelement and then we get an invalid memory reference when we do qelement->next a couple of lines below. Take the next pointer earlier so that we can safely free. --- ext/curl/gstcurlhttpsrc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ext/curl/gstcurlhttpsrc.c b/ext/curl/gstcurlhttpsrc.c index e60ccf531d..c1a0bcf5c1 100644 --- a/ext/curl/gstcurlhttpsrc.c +++ b/ext/curl/gstcurlhttpsrc.c @@ -1509,7 +1509,7 @@ static void gst_curl_http_src_curl_multi_loop (gpointer thread_data) { GstCurlHttpSrcMultiTaskContext *context; - GstCurlHttpSrcQueueElement *qelement; + GstCurlHttpSrcQueueElement *qelement, *qnext; int i, still_running; gboolean cond = FALSE; CURLMsg *curl_message; @@ -1655,6 +1655,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data) } else if (context->state == GSTCURL_MULTI_LOOP_STATE_REQUEST_REMOVAL) { qelement = context->queue; while (qelement != NULL) { + qnext = qelement->next; if (qelement->p == context->request_removal_element) { g_mutex_lock (&qelement->p->buffer_mutex); curl_multi_remove_handle (context->multi_handle, @@ -1668,7 +1669,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data) g_mutex_unlock (&qelement->p->buffer_mutex); gst_curl_http_src_remove_queue_item (&context->queue, qelement->p); } - qelement = qelement->next; + qelement = qnext; } context->request_removal_element = NULL; context->state = GSTCURL_MULTI_LOOP_STATE_RUNNING;