From a1ce2426d8cd63f0bd1772b3491d765e9af2b1e7 Mon Sep 17 00:00:00 2001 From: Maarten Bosmans Date: Sat, 13 Aug 2011 13:43:21 +0200 Subject: [PATCH] Avoid read from freed memory The order of freeing the hashmaps is important here, because otherwise a string used as key is freed before the hashmap is freed. Valgrind reports this as: Invalid read of size 1 at 0x4107042: pa_idxset_string_hash_func (idxset.c:67) by 0x4106026: remove_entry (hashmap.c:93) by 0x41061BF: pa_hashmap_free (hashmap.c:110) by 0x71DD143: pa_dbusiface_core_free (iface-core.c:2105) by 0x71F2169: module_dbus_protocol_LTX_pa__done (module-dbus-protocol.c:595) by 0x406DC51: pa_module_free (module.c:162) by 0x406E01D: pa_module_unload_all (module.c:210) by 0x4068842: core_free (core.c:169) by 0x406FD5D: pa_object_unref (object.c:64) by 0x805224D: pa_core_unref (core.h:184) by 0x805560B: main (main.c:1159) Address 0x4d099c0 is 0 bytes inside a block of size 100 free'd at 0x4025BF0: free (vg_replace_malloc.c:366) by 0x40F128C: pa_xfree (xmalloc.c:131) by 0x71E4CEB: pa_dbusiface_device_free (iface-device.c:1293) by 0x71DCD7E: free_device_cb (iface-core.c:2062) by 0x41061D7: pa_hashmap_free (hashmap.c:113) by 0x71DD125: pa_dbusiface_core_free (iface-core.c:2104) by 0x71F2169: module_dbus_protocol_LTX_pa__done (module-dbus-protocol.c:595) by 0x406DC51: pa_module_free (module.c:162) by 0x406E01D: pa_module_unload_all (module.c:210) by 0x4068842: core_free (core.c:169) by 0x406FD5D: pa_object_unref (object.c:64) by 0x805224D: pa_core_unref (core.h:184) --- src/modules/dbus/iface-core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/modules/dbus/iface-core.c b/src/modules/dbus/iface-core.c index bb43df9b6..042ca3b16 100644 --- a/src/modules/dbus/iface-core.c +++ b/src/modules/dbus/iface-core.c @@ -2099,12 +2099,14 @@ void pa_dbusiface_core_free(pa_dbusiface_core *c) { pa_assert_se(pa_dbus_protocol_remove_interface(c->dbus_protocol, PA_DBUS_CORE_OBJECT_PATH, core_interface_info.name) >= 0); + /* Note that the order of freeing is important below. + * Do not change it for the sake of tidiness without checking! */ pa_subscription_free(c->subscription); pa_hashmap_free(c->cards, free_card_cb, NULL); - pa_hashmap_free(c->sinks_by_index, free_device_cb, NULL); pa_hashmap_free(c->sinks_by_path, NULL, NULL); - pa_hashmap_free(c->sources_by_index, free_device_cb, NULL); + pa_hashmap_free(c->sinks_by_index, free_device_cb, NULL); pa_hashmap_free(c->sources_by_path, NULL, NULL); + pa_hashmap_free(c->sources_by_index, free_device_cb, NULL); pa_hashmap_free(c->playback_streams, free_stream_cb, NULL); pa_hashmap_free(c->record_streams, free_stream_cb, NULL); pa_hashmap_free(c->samples, free_sample_cb, NULL);