From: Corey Farrell <git@cfware.com>
Date: Wed, 20 Dec 2017 16:23:08 +0000 (-0500)
Subject: bridge: Old channel video source not set to NULL after unref.
X-Git-Tag: 15.3.0-rc1~163^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b18c69edfa8004449a3310cefde0a2c87f35093a;p=thirdparty%2Fasterisk.git

bridge: Old channel video source not set to NULL after unref.

The bridge holds onto the old channel video source after it's been
released.  This can lead to use after free errors.

ASTERISK-27229 #close

Change-Id: Ib2dab61677dd8a21f7ad53cdc9b8ca93297838b3
---

diff --git a/main/bridge.c b/main/bridge.c
index 7a937ea59b..88d9e54877 100644
--- a/main/bridge.c
+++ b/main/bridge.c
@@ -3848,7 +3848,7 @@ void ast_bridge_update_talker_src_video_mode(struct ast_bridge *bridge, struct a
 		data->average_talking_energy = talker_energy;
 	} else if ((data->average_talking_energy < talker_energy) && is_keyframe) {
 		if (data->chan_old_vsrc) {
-			ast_channel_unref(data->chan_old_vsrc);
+			data->chan_old_vsrc = ast_channel_unref(data->chan_old_vsrc);
 		}
 		if (data->chan_vsrc) {
 			data->chan_old_vsrc = data->chan_vsrc;