korg/bluez
0
0
Fork 0
mirror of https://git.kernel.org/pub/scm/bluetooth/bluez.git synced 2024-11-25 13:14:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix invalid write to memory issue in media module

Browse Source 
Under some circumstances (such as terminating bluetoothd during music is
streamed) endpoint object may be destroyed (memory for endpoint object is
internally freed, directly by "media_endpoint_remove") after invoking
"media_transport_destroy" (in "media_endpoint_clear_configuration") to
destroy transport object (memory for transport object is directly freed by
"media_transport_free"). It leads to invalid write issue (reported by
valgrind) after assignment "endpoint->transport = NULL", since "endpoint"
is "alias" pointer to endpoint object which is already out of date
(memory for endpoint object has been already freed).

This patch prevents from this issue by ensuring that assignment
"endpoint->transport = NULL" would be executed when endpoint object
certainly exists.
This commit is contained in:
Rafal Michalski 2011-06-13 12:50:15 +02:00 committed by Johan Hedberg
parent 94a49c7082
commit a2d3f2d5c5
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
audio/media.c
View File

@ -643,6 +643,7 @@ void media_endpoint_clear_configuration(struct media_endpoint *endpoint)
DBusConnection *conn;
DBusMessage *msg;
const char *path;
struct media_transport *transport = endpoint->transport;
if (endpoint->transport == NULL)
return;
@ -665,8 +666,8 @@ void media_endpoint_clear_configuration(struct media_endpoint *endpoint)
DBUS_TYPE_INVALID);
g_dbus_send_message(conn, msg);
done:
media_transport_destroy(endpoint->transport);
endpoint->transport = NULL;
media_transport_destroy(transport);
}
void media_endpoint_release(struct media_endpoint *endpoint)