korg/bluez
0
0
Fork 0
mirror of https://git.kernel.org/pub/scm/bluetooth/bluez.git synced 2024-11-15 16:24:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

a2dp: Don't initialize a2dp_sep->destroy until properly registered

Browse Source 
On a2dp_add_sep if the record cannot be properly registred
a2dp_unregister_sep would be called which would attempt to destroy the
user_data causing the following backtrace:

Invalid write of size 8
   at 0x2F41EB: endpoint_init_a2dp_source (media.c:687)
   by 0x2F41EB: media_endpoint_create (media.c:1030)
   by 0x2F6713: register_endpoint (media.c:1155)
   by 0x46983F: process_message (object.c:246)
   by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
   by 0x45F0BF: message_dispatch (mainloop.c:59)
   by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x4955772: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x4CA924: mainloop_run (mainloop-glib.c:66)
   by 0x4CAE1B: mainloop_run_with_signal (mainloop-notify.c:188)
   by 0x2AE791: main (main.c:1258)
 Address 0x6e47a30 is 0 bytes inside a block of size 112 free'd
   at 0x48470E4: free (vg_replace_malloc.c:872)
   by 0x4957CDC: g_free (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x2C2D57: a2dp_unregister_sep (a2dp.c:2588)
   by 0x2D124C: a2dp_add_sep (a2dp.c:2697)
   by 0x2F41D5: endpoint_init_a2dp_source (media.c:687)
   by 0x2F41D5: media_endpoint_create (media.c:1030)
   by 0x2F6713: register_endpoint (media.c:1155)
   by 0x46983F: process_message (object.c:246)
   by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14)
   by 0x45F0BF: message_dispatch (mainloop.c:59)
   by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4)
   by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
This commit is contained in:
Luiz Augusto von Dentz 2022-03-24 14:32:11 -07:00
parent 4fefa24097
commit 18fc3abad2
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
profiles/audio/a2dp.c
View File

@ -2668,8 +2668,6 @@ struct a2dp_sep *a2dp_add_sep(struct btd_adapter *adapter, uint8_t type,
sep->codec = codec;
sep->type = type;
sep->delay_reporting = delay_reporting;
sep->user_data = user_data;
sep->destroy = destroy;
if (type == AVDTP_SEP_TYPE_SOURCE) {
l = &server->sources;
@ -2713,6 +2711,9 @@ struct a2dp_sep *a2dp_add_sep(struct btd_adapter *adapter, uint8_t type,
add:
*l = g_slist_append(*l, sep);
sep->user_data = user_data;
sep->destroy = destroy;
if (err)
*err = 0;
return sep;