mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-09 08:21:08 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

module-avb: fix heap corruption in server_destroy_descriptors

Browse source 
server_add_descriptor() allocates the descriptor and its data in a
single calloc (d->ptr = SPA_PTROFF(d, sizeof(struct descriptor))),
so d->ptr points inside the same allocation as d. Calling free(d->ptr)
frees an interior pointer, corrupting the heap. Only free(d) is needed.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Christian F.K. Schaller 2026-04-07 07:01:45 -04:00 committed by Wim Taymans
parent 20d648aaad
commit bdaecfebb8
1 changed files with 0 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/modules/module-avb/internal.h
View file

@ -102,7 +102,6 @@ static inline void server_destroy_descriptors(struct server *server)
struct descriptor *d, *t; struct descriptor *d, *t;
spa_list_for_each_safe(d, t, &server->descriptors, link) { spa_list_for_each_safe(d, t, &server->descriptors, link) {
free(d->ptr);
spa_list_remove(&d->link); spa_list_remove(&d->link);
free(d); free(d);
} }