[Bug 771649] New: gst_bin_sort_iterator_copy doesn't copy GstBinSortIterator::queue

GStreamer (GNOME Bugzilla) bugzilla at gnome.org
Mon Sep 19 09:40:31 UTC 2016 

https://bugzilla.gnome.org/show_bug.cgi?id=771649

            Bug ID: 771649
           Summary: gst_bin_sort_iterator_copy doesn't copy
                    GstBinSortIterator::queue
    Classification: Platform
           Product: GStreamer
           Version: unspecified
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: Normal
         Component: gstreamer (core)
          Assignee: gstreamer-bugs at lists.freedesktop.org
          Reporter: cedlemo at gmx.com
        QA Contact: gstreamer-bugs at lists.freedesktop.org
     GNOME version: ---

I send you this bug report and patch made by Kouhei Sutou <kou at clear-code.com>
from the Ruby-GNOME2 project.

fix a bug that GstBinSortIterator's copy gst_bin_sort_iterator_copy() doesn't
copy GstBinSortIterator::queue. It copies only addresses of internal lists.

It means that queue is shared with copy source GstBinSortIterator. If the
source GstSortIterator is freed, the destination GstBinSortIterator's queue is
invalid. Process is crashed by calling gst_iterator_next() with the destination
GstBinSortIterator after the source GstBinSortIterator is freed because
the destination GstBinSortIterator's queue is invalid.

diff --git a/gst/gstbin.c b/gst/gstbin.c
index a76810e..28bae67 100644
--- a/gst/gstbin.c
+++ b/gst/gstbin.c
@@ -2135,14 +2135,24 @@ typedef struct _GstBinSortIterator
 } GstBinSortIterator;

 static void
+copy_to_queue (gpointer data, gpointer user_data)
+{
+  GstElement *element = data;
+  GQueue *queue = user_data;
+
+  gst_object_ref (element);
+  g_queue_push_tail (queue, element);
+}
+
+static void
 gst_bin_sort_iterator_copy (const GstBinSortIterator * it,
     GstBinSortIterator * copy)
 {
   GHashTableIter iter;
   gpointer key, value;

-  copy->queue = it->queue;
-  g_queue_foreach (&copy->queue, (GFunc) gst_object_ref, NULL);
+  g_queue_init (&copy->queue);
+  g_queue_foreach (&it->queue, copy_to_queue, &copy->queue);

   copy->bin = gst_object_ref (it->bin);
   if (it->best)
-- 
2.9.3


Regards

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.

More information about the gstreamer-bugs mailing list