[webkit-reviews] review denied: [Bug 189462] [GStreamer] use-after-free in MockVideoCaptureSource : [Attachment 349285] Patch

[bugzilla-daemon at webkit.org]

Xabier Rodríguez Calvar <calvaris at igalia.com> has denied Philippe Normand
<pnormand at igalia.com>'s request for review:
Bug 189462: [GStreamer] use-after-free in MockVideoCaptureSource
https://bugs.webkit.org/show_bug.cgi?id=189462

Attachment 349285: Patch

https://bugs.webkit.org/attachment.cgi?id=349285&action=review




--- Comment #7 from Xabier Rodríguez Calvar <calvaris at igalia.com> ---
Comment on attachment 349285
  --> https://bugs.webkit.org/attachment.cgi?id=349285
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=349285&action=review

>>>
Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.c
pp:-53
>>> -	     auto gstsample =
gst_sample_new(gst_buffer_new_wrapped(static_cast<guint8*>(data.releaseBuffer()
.get()), size),
>> 
>> I think data.releaseBuffer().get() was giving us ownership of the data, am I
wrong? I know it is for testing only but this introduces a big memcpy that we
should avoid fmpov.
> 
> Hum yeah it should be possible to avoid the memcpy... It seems the issue is
actually related with the MallocPtr returned by releaseBuffer(). I'll try
another approach with gst_buffer_wrapped_full()...

>From what understand there, the problem of this line is data.releaseBuffer()
returns a MallocPtr and get() gets that pointer that is passed to
gst_buffer_new_wrapped. The problem happens when that MallocPtr goes out of
scope just after running the get() so that pointer we pass with [transfer full]
disappears with ~MallocPtr. I think what we want here is to do
data.releaseBuffer().leakPtr() which will "leak" the pointer directly into the
gst_buffer_new_wrapper [transfer full].

Am I missing anything here?