[PATCH alsa-lib] conf: Fix invalid free at parse_args()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The previous fix for memory leaks introduced a few regression.
The major one is the assert hit in the error path reaching with NULL
or uninitialized sub object.  Also, in other code paths, it's possible
that an already released sub object gets freed again.

Fix those bugs by initializing the sub object properly and add a NULL
check before calling snd_config_delete().

Fixes: ad5f255b4767 ("conf: fix memory leak on the error path in parse_args()")
Reported-and-tested-by: Mark Hills <mark@xxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
 src/conf.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/conf.c b/src/conf.c
index 14b14b597e16..1bcd65c87b94 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -5080,6 +5080,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs)
 		const char *new = str;
 		const char *tmp;
 		char *val = NULL;
+
+		sub = NULL;
 		err = parse_arg(&new, &varlen, &val);
 		if (err < 0)
 			goto _err;
@@ -5104,6 +5106,7 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs)
 		err = snd_config_search(subs, var, &sub);
 		if (err >= 0)
 			snd_config_delete(sub);
+		sub = NULL;
 		err = snd_config_search(def, "type", &typ);
 		if (err < 0) {
 		_invalid_type:
@@ -5169,7 +5172,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs)
 		err = snd_config_add(subs, sub);
 		if (err < 0) {
 		_err:
-			snd_config_delete(sub);
+			if (sub)
+				snd_config_delete(sub);
 			free(val);
 			return err;
 		}
-- 
2.26.2




[Index of Archives]     [ALSA User]     [Linux Audio Users]     [Pulse Audio]     [Kernel Archive]     [Asterisk PBX]     [Photo Sharing]     [Linux Sound]     [Video 4 Linux]     [Gimp]     [Yosemite News]

  Powered by Linux