The previous fix for memory leaks introduced a few regression. The major one is the assert hit in the error path reaching with NULL or uninitialized sub object. Also, in other code paths, it's possible that an already released sub object gets freed again. Fix those bugs by initializing the sub object properly and add a NULL check before calling snd_config_delete(). Fixes: ad5f255b4767 ("conf: fix memory leak on the error path in parse_args()") Reported-and-tested-by: Mark Hills <mark@xxxxxxxx> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> --- src/conf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/conf.c b/src/conf.c index 14b14b597e16..1bcd65c87b94 100644 --- a/src/conf.c +++ b/src/conf.c @@ -5080,6 +5080,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs) const char *new = str; const char *tmp; char *val = NULL; + + sub = NULL; err = parse_arg(&new, &varlen, &val); if (err < 0) goto _err; @@ -5104,6 +5106,7 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs) err = snd_config_search(subs, var, &sub); if (err >= 0) snd_config_delete(sub); + sub = NULL; err = snd_config_search(def, "type", &typ); if (err < 0) { _invalid_type: @@ -5169,7 +5172,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs) err = snd_config_add(subs, sub); if (err < 0) { _err: - snd_config_delete(sub); + if (sub) + snd_config_delete(sub); free(val); return err; } -- 2.26.2