[Webkit-unassigned] [Bug 232914] [GStreamer] Crash in gst_buffer_get_meta when playing reddit video

Sat Nov 13 07:16:22 PST 2021

https://bugs.webkit.org/show_bug.cgi?id=232914

Philippe Normand <pnormand at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pnormand at igalia.com

--- Comment #4 from Philippe Normand <pnormand at igalia.com> ---
I can't reproduce this, but I think I see what the problem is... 

1. In gst_h264_parse_pre_push_frame() a local buffer variable is set to the frame->out_buffer pointer
2. When gst_h264_parse_handle_sps_pps_nals() is called with that buffer, the frame->out_buffer pointer is updated (gst_buffer_replace() call) and now buffer is dangling
3. buffer pointer is accessed (un-modified) after the gst_h264_parse_handle_sps_pps_nals() BOOM

Can you cherry-pick this commit in your SDK? I think it might fix the problem. If so, I'll ask to have it in 1.18.6 if that ever happens.

https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0f084d46247f9009584b482cea8196b5b871cc73

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211113/c10cc90f/attachment-0001.htm>