From b144375974ccd1d692bd04b421d84fc9230e6fe5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Shengqi=20Yu=20=28=E5=96=BB=E7=9B=9B=E7=90=AA=29?= Date: Tue, 1 Apr 2025 11:02:58 +0800 Subject: [PATCH] pluginloader: fix pending_plugins Glist use-after-free issue When plugin_loader_load_and_sync returns false in plugin_loader_replay_pending, the cur Glist l->pending_plugins will be added to the blacklist. However, the l->pending_plugins might have already been loaded and freed in handle_rx_packet, so causing a use-after-free issue. Part-of: --- subprojects/gstreamer/gst/gstpluginloader.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/subprojects/gstreamer/gst/gstpluginloader.c b/subprojects/gstreamer/gst/gstpluginloader.c index 8374ba702a..3324d76050 100644 --- a/subprojects/gstreamer/gst/gstpluginloader.c +++ b/subprojects/gstreamer/gst/gstpluginloader.c @@ -264,7 +264,12 @@ restart: while ((cur = l->pending_plugins)) { PendingPluginEntry *entry = (PendingPluginEntry *) (cur->data); - if (!plugin_loader_load_and_sync (l, entry)) { + /* Maybe the cur(current head of the pending plugins list) has already been + * processed and deleted from pending plugins in handle_rx_packet when + * received this plugin details, so here add cur == l->pending_plugins + * to ensure that the cur is valid */ + if (!plugin_loader_load_and_sync (l, entry) + && cur == l->pending_plugins) { /* Create dummy plugin entry to block re-scanning this file */ GST_ERROR ("Plugin file %s failed to load. Blacklisting", entry->filename);