gstreamer1-plugins-bad-free/SOURCES/0002-curlhhtpsrc-avoid-invalid-memory-references.patch

From cb16d0b239ef3173bf356a6fe86f30403f285941 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 16 Aug 2018 11:42:25 +0200
Subject: [PATCH 2/2] curlhhtpsrc: avoid invalid memory references

gst_curl_http_src_remove_queue_item() can free qelement and then
we get an invalid memory reference when we do qelement->next a
couple of lines below. Take the next pointer earlier so that we can
safely free.
---
 ext/curl/gstcurlhttpsrc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/ext/curl/gstcurlhttpsrc.c b/ext/curl/gstcurlhttpsrc.c
index e60ccf531..c1a0bcf5c 100644
--- a/ext/curl/gstcurlhttpsrc.c
+++ b/ext/curl/gstcurlhttpsrc.c
@@ -1509,7 +1509,7 @@ static void
 gst_curl_http_src_curl_multi_loop (gpointer thread_data)
 {
   GstCurlHttpSrcMultiTaskContext *context;
-  GstCurlHttpSrcQueueElement *qelement;
+  GstCurlHttpSrcQueueElement *qelement, *qnext;
   int i, still_running;
   gboolean cond = FALSE;
   CURLMsg *curl_message;
@@ -1655,6 +1655,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data)
   } else if (context->state == GSTCURL_MULTI_LOOP_STATE_REQUEST_REMOVAL) {
     qelement = context->queue;
     while (qelement != NULL) {
+      qnext = qelement->next;
       if (qelement->p == context->request_removal_element) {
         g_mutex_lock (&qelement->p->buffer_mutex);
         curl_multi_remove_handle (context->multi_handle,
@@ -1668,7 +1669,7 @@ gst_curl_http_src_curl_multi_loop (gpointer thread_data)
         g_mutex_unlock (&qelement->p->buffer_mutex);
         gst_curl_http_src_remove_queue_item (&context->queue, qelement->p);
       }
-      qelement = qelement->next;
+      qelement = qnext;
     }
     context->request_removal_element = NULL;
     context->state = GSTCURL_MULTI_LOOP_STATE_RUNNING;
-- 
2.17.1