[GStreamer] use-after-free in MockVideoCaptureSource

https://bugs.webkit.org/show_bug.cgi?id=189462

Reviewed by Xabier Rodriguez-Calvar.

* platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:
(WebCore::WrappedMockRealtimeVideoSource::updateSampleBuffer):
Copy the BGRA data before passing ownership to GStreamer. Also
include a few code style cosmetic changes.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@235890 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

Source/WebCore/ChangeLog

@@ -1,3 +1,15 @@
+2018-09-11  Philippe Normand  <[email protected]>
+
+        [GStreamer] use-after-free in MockVideoCaptureSource
+        https://bugs.webkit.org/show_bug.cgi?id=189462
+
+        Reviewed by Xabier Rodriguez-Calvar.
+
+        * platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp:
+        (WebCore::WrappedMockRealtimeVideoSource::updateSampleBuffer):
+        Copy the BGRA data before passing ownership to GStreamer. Also
+        include a few code style cosmetic changes.
+
 2018-09-11  Jiewen Tan  <[email protected]>
 
         [WebAuthN] Polish AuthenticatorManager and rename it to AuthenticatorCoordinator

Source/WebCore/platform/mediastream/gstreamer/MockGStreamerVideoCaptureSource.cpp

@@ -40,28 +40,24 @@ class WrappedMockRealtimeVideoSource : public MockRealtimeVideoSource {
 
     void updateSampleBuffer()
     {
-        int fpsNumerator, fpsDenominator;
         auto imageBuffer = this->imageBuffer();
-
         if (!imageBuffer)
             return;
 
+        int fpsNumerator, fpsDenominator;
         gst_util_double_to_fraction(frameRate(), &fpsNumerator, &fpsDenominator);
+        auto imageSize = imageBuffer->internalSize();
+        auto caps = adoptGRef(gst_caps_new_simple("video/x-raw",
+            "format", G_TYPE_STRING, "BGRA",
+            "width", G_TYPE_INT, imageSize.width(),
+            "height", G_TYPE_INT, imageSize.height(),
+            "framerate", GST_TYPE_FRACTION, fpsNumerator, fpsDenominator, nullptr));
         auto data = imageBuffer->toBGRAData();
         auto size = data.size();
-        auto image_size = imageBuffer->internalSize();
-        auto gstsample = gst_sample_new(gst_buffer_new_wrapped(static_cast<guint8*>(data.releaseBuffer().get()), size),
-            adoptGRef(gst_caps_new_simple("video/x-raw",
-                "format", G_TYPE_STRING, "BGRA",
-                "width", G_TYPE_INT, image_size.width(),
-                "height", G_TYPE_INT, image_size.height(),
-                "framerate", GST_TYPE_FRACTION, fpsNumerator, fpsDenominator,
-                nullptr)).get(),
-            nullptr, nullptr);
-
-        auto sample = MediaSampleGStreamer::create(WTFMove(gstsample),
-            WebCore::FloatSize(), String());
-        videoSampleAvailable(sample);
+        auto buffer = adoptGRef(gst_buffer_new_wrapped(g_memdup(data.releaseBuffer().get(), size), size));
+        auto gstSample = adoptGRef(gst_sample_new(buffer.get(), caps.get(), nullptr, nullptr));
+
+        videoSampleAvailable(MediaSampleGStreamer::create(WTFMove(gstSample), FloatSize(), String()));
     }
 };