Fix a deadlock and possible crash in res_fax

This patch fixes two bugs.
(1) It unlocks the channel in the framehook handlers before attempting to grab
    the peer from the bridge. The locking order for the bridging framework is
    bridge first, then channel - having the channel locked while attempting to
    obtain the bridge lock causes a locking inversion and a deadlock. This
    patch bumps the channel ref count prior to releasing the lock in the
    framehook to avoid lifetime issues.

    Note that this does expose a subtle problem in framehooks; that is,
    something could modify the framehook list while we are executing, causing
    issues in the framehook list traversal that the callback executes in.
    Fixing this is a much larger problem that is beyond the scope of this
    patch - (a) we already unlock the channel in this particular framehook
    and we haven't run into a problem yet (as modifying the framehook list
    when a channel is about to perform a fax gateway would be a very odd
    operation) and (b) migrating to an ao2 container of framehooks would be
    more invasive at this point. See the referenced ASTERISK issue for more
    information.
(2) Directly packing channel variables into a JSON object turned out to be
    unsafe. A condition existed where the strings in the JSON blob were no
    longer safe to be accessed if the channel object itself was disposed of.

(issue ASTERISK-21951)


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@392564 65c4cc65-6c06-0410-ace0-fbb531ad65f3