From bdaecfebb8a222e682e2c0b9365f9cf279c08c32 Mon Sep 17 00:00:00 2001
From: "Christian F.K. Schaller" <christian.schaller@gmail.com>
Date: Tue, 7 Apr 2026 07:01:45 -0400
Subject: [PATCH] module-avb: fix heap corruption in server_destroy_descriptors

server_add_descriptor() allocates the descriptor and its data in a
single calloc (d->ptr = SPA_PTROFF(d, sizeof(struct descriptor))),
so d->ptr points inside the same allocation as d. Calling free(d->ptr)
frees an interior pointer, corrupting the heap. Only free(d) is needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/modules/module-avb/internal.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/modules/module-avb/internal.h b/src/modules/module-avb/internal.h
index 82ced2f21..e5b283fc0 100644
--- a/src/modules/module-avb/internal.h
+++ b/src/modules/module-avb/internal.h
@@ -102,7 +102,6 @@ static inline void server_destroy_descriptors(struct server *server)
 	struct descriptor *d, *t;
 
         spa_list_for_each_safe(d, t, &server->descriptors, link) {
-		free(d->ptr);
 		spa_list_remove(&d->link);
 		free(d);
         }