mirrors/pulseaudio
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pulseaudio/pulseaudio.git synced 2025-12-16 08:56:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

pstream: Fix use-after-free in srb_callback

Browse source 
We need to guard the pstream with an extra ref to ensure
it is not destroyed at the time we check whether or not the
srbchannel is destroyed.

Reported-by: Takashi Iwai <tiwai@suse.de>
BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=950487
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
This commit is contained in:
David Henningsson 2015-10-16 22:12:32 +02:00
parent 91313e60a8
commit f277f2c509
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/pulsecore/pstream.c
View file

@ -216,14 +216,23 @@ fail:
} }
static bool srb_callback(pa_srbchannel *srb, void *userdata) { static bool srb_callback(pa_srbchannel *srb, void *userdata) {
bool b;
pa_pstream *p = userdata; pa_pstream *p = userdata;
pa_assert(p); pa_assert(p);
pa_assert(PA_REFCNT_VALUE(p) > 0); pa_assert(PA_REFCNT_VALUE(p) > 0);
pa_assert(p->srb == srb); pa_assert(p->srb == srb);
pa_pstream_ref(p);
do_pstream_read_write(p); do_pstream_read_write(p);
return p->srb != NULL;
/* If either pstream or the srb is going away, return false.
We need to check this before p is destroyed. */
b = (PA_REFCNT_VALUE(p) > 1) && (p->srb == srb);
pa_pstream_unref(p);
return b;
} }
static void io_callback(pa_iochannel*io, void *userdata) { static void io_callback(pa_iochannel*io, void *userdata) {