From: Corey Farrell <git@cfware.com>
Date: Wed, 20 Dec 2017 16:23:08 +0000 (-0500)
Subject: bridge: Old channel video source not set to NULL after unref.
X-Git-Tag: 13.20.0-rc1~149^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be3800c49d4a47527175d377a430ff16b87d0bb1;p=thirdparty%2Fasterisk.git

bridge: Old channel video source not set to NULL after unref.

The bridge holds onto the old channel video source after it's been
released.  This can lead to use after free errors.

ASTERISK-27229 #close

Change-Id: Ib2dab61677dd8a21f7ad53cdc9b8ca93297838b3
---

diff --git a/main/bridge.c b/main/bridge.c
index 5e065fb35b..8284fd3af9 100644
--- a/main/bridge.c
+++ b/main/bridge.c
@@ -3808,7 +3808,7 @@ void ast_bridge_update_talker_src_video_mode(struct ast_bridge *bridge, struct a
 		data->average_talking_energy = talker_energy;
 	} else if ((data->average_talking_energy < talker_energy) && is_keyframe) {
 		if (data->chan_old_vsrc) {
-			ast_channel_unref(data->chan_old_vsrc);
+			data->chan_old_vsrc = ast_channel_unref(data->chan_old_vsrc);
 		}
 		if (data->chan_vsrc) {
 			data->chan_old_vsrc = data->chan_vsrc;