File pstream-Fix-use-after-free-in-srb_callback.patch of Package pulseaudio

Overview Repositories Revisions Requests Users Attributes Meta

File pstream-Fix-use-after-free-in-srb_callback.patch of Package pulseaudio

>From 9d370181ec4bc1e252b54dd0e7bb52016f01b238 Mon Sep 17 00:00:00 2001
From: David Henningsson <david.henningsson@canonical.com>
Date: Fri, 16 Oct 2015 22:12:32 +0200
Subject: [PATCH] pstream: Fix use-after-free in srb_callback

We need to guard the pstream with an extra ref to ensure
it is not destroyed at the time we check whether or not the
srbchannel is destroyed.

Reported-by: Takashi Iwai <tiwai@suse.de>
BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=950487
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
---
 src/pulsecore/pstream.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/src/pulsecore/pstream.c
+++ b/src/pulsecore/pstream.c
@@ -216,14 +216,23 @@ fail:
 }
 
 static bool srb_callback(pa_srbchannel *srb, void *userdata) {
+    bool b;
     pa_pstream *p = userdata;
 
     pa_assert(p);
     pa_assert(PA_REFCNT_VALUE(p) > 0);
     pa_assert(p->srb == srb);
 
+    pa_pstream_ref(p);
+
     do_pstream_read_write(p);
-    return p->srb != NULL;
+
+    /* If either pstream or the srb is going away, return false.
+       We need to check this before p is destroyed. */
+    b = (PA_REFCNT_VALUE(p) > 1) && (p->srb == srb);
+    pa_pstream_unref(p);
+
+    return b;
 }
 
 static void io_callback(pa_iochannel*io, void *userdata) {

Places

File pstream-Fix-use-after-free-in-srb_callback.patch of Package pulseaudio

Places