[pulseaudio-discuss] [PATCH 2/2] pa_*_volume_change_push: Do not dereference freed memory when freeing the next events

Felipe Sateler fsateler at debian.org
Fri Sep 11 16:15:21 PDT 2015 

Coverity IDs: 1138197, 1138196
---
 src/pulsecore/sink.c   | 3 ++-
 src/pulsecore/source.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/pulsecore/sink.c b/src/pulsecore/sink.c
index c2bf0e4..9ddb527 100644
--- a/src/pulsecore/sink.c
+++ b/src/pulsecore/sink.c
@@ -3543,6 +3543,7 @@ static void pa_sink_volume_change_free(pa_sink_volume_change *c) {
 void pa_sink_volume_change_push(pa_sink *s) {
     pa_sink_volume_change *c = NULL;
     pa_sink_volume_change *nc = NULL;
+    pa_sink_volume_change *pc = NULL;
     uint32_t safety_margin = s->thread_info.volume_change_safety_margin;
 
     const char *direction = NULL;
@@ -3600,7 +3601,7 @@ void pa_sink_volume_change_push(pa_sink *s) {
     pa_log_debug("Volume going %s to %d at %llu", direction, pa_cvolume_avg(&nc->hw_volume), (long long unsigned) nc->at);
 
     /* We can ignore volume events that came earlier but should happen later than this. */
-    PA_LLIST_FOREACH(c, nc->next) {
+    PA_LLIST_FOREACH_SAFE(c, pc, nc->next) {
         pa_log_debug("Volume change to %d at %llu was dropped", pa_cvolume_avg(&c->hw_volume), (long long unsigned) c->at);
         pa_sink_volume_change_free(c);
     }
diff --git a/src/pulsecore/source.c b/src/pulsecore/source.c
index 2dd7a28..b553a2d 100644
--- a/src/pulsecore/source.c
+++ b/src/pulsecore/source.c
@@ -2654,6 +2654,7 @@ static void pa_source_volume_change_free(pa_source_volume_change *c) {
 void pa_source_volume_change_push(pa_source *s) {
     pa_source_volume_change *c = NULL;
     pa_source_volume_change *nc = NULL;
+    pa_source_volume_change *pc = NULL;
     uint32_t safety_margin = s->thread_info.volume_change_safety_margin;
 
     const char *direction = NULL;
@@ -2711,7 +2712,7 @@ void pa_source_volume_change_push(pa_source *s) {
     pa_log_debug("Volume going %s to %d at %llu", direction, pa_cvolume_avg(&nc->hw_volume), (long long unsigned) nc->at);
 
     /* We can ignore volume events that came earlier but should happen later than this. */
-    PA_LLIST_FOREACH(c, nc->next) {
+    PA_LLIST_FOREACH_SAFE(c, pc, nc->next) {
         pa_log_debug("Volume change to %d at %llu was dropped", pa_cvolume_avg(&c->hw_volume), (long long unsigned) c->at);
         pa_source_volume_change_free(c);
     }
-- 
2.5.1

More information about the pulseaudio-discuss mailing list