From: Kui Wang <wangkuisuper@xxxxxxxxxxx>
When pulse_hw_constraint returns error, snd_pcm_ioplug_delete() is called.
It will then call pulse_close() where "snd_pcm_pulse_t *pcm" will be free.
Then if goto the "error" label, the "snd_pcm_pulse_t *pcm" will be double-free.
To prevent this, just jump over the code which might cause double-free.
Signed-off-by: Kui Wang <wangkuisuper@xxxxxxxxxxx>
diff --git a/pulse/pcm_pulse.c b/pulse/pcm_pulse.c
index 5cb3452..a8983c6 100644
--- a/pulse/pcm_pulse.c
+++ b/pulse/pcm_pulse.c
@@ -1143,7 +1143,7 @@ SND_PCM_PLUGIN_DEFINE_FUNC(pulse)
err = pulse_hw_constraint(pcm);
if (err < 0) {
snd_pcm_ioplug_delete(&pcm->io);
- goto error;
+ goto error2;
}
*pcmp = pcm->io.pcm;
@@ -1156,6 +1156,7 @@ error:
free(pcm->device);
free(pcm);
+error2:
if (fallback_name)
return snd_pcm_open_fallback(pcmp, root, fallback_name, name,
stream, mode);
--
2.13.2.windows.1
_______________________________________________
Alsa-devel mailing list
Alsa-devel@xxxxxxxxxxxxxxxx
http://mailman.alsa-project.org/mailman/listinfo/alsa-devel
