pstream: Fix use-after-free in srb_callback

We need to guard the pstream with an extra ref to ensure it is not destroyed at the time we check whether or not the srbchannel is destroyed. Reported-by: Takashi Iwai <tiwai@suse.de> BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=950487 Signed-off-by: David Henningsson <david.henningsson@canonical.com>
author: David Henningsson <david.henningsson@canonical.com> 2015-10-16 22:12:32 +0200
committer: Arun Raghavan <git@arunraghavan.net> 2015-10-30 17:52:33 +0530
commit: 2354dd47acb346c3eca288611ae1b1edaa05a6e3 (patch)
tree: 69ebb5d16683bc50d7fbb2b38efab08b8abc8d4c
parent: 9c6541e84dda1cf2b89fc97f568c2ad4f5ae8ae4 (diff)
download: pulseaudio-2354dd47acb346c3eca288611ae1b1edaa05a6e3.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/src/pulsecore/pstream.c b/src/pulsecore/pstream.c
index 8c14fbb3c..98a838203 100644
--- a/src/pulsecore/pstream.c
+++ b/src/pulsecore/pstream.c
@@ -216,14 +216,23 @@ fail:
 }
 
 static bool srb_callback(pa_srbchannel *srb, void *userdata) {
+    bool b;
     pa_pstream *p = userdata;
 
     pa_assert(p);
     pa_assert(PA_REFCNT_VALUE(p) > 0);
     pa_assert(p->srb == srb);
 
+    pa_pstream_ref(p);
+
     do_pstream_read_write(p);
-    return p->srb != NULL;
+
+    /* If either pstream or the srb is going away, return false.
+       We need to check this before p is destroyed. */
+    b = (PA_REFCNT_VALUE(p) > 1) && (p->srb == srb);
+    pa_pstream_unref(p);
+
+    return b;
 }
 
 static void io_callback(pa_iochannel*io, void *userdata) {
author	David Henningsson <david.henningsson@canonical.com>	2015-10-16 22:12:32 +0200
committer	Arun Raghavan <git@arunraghavan.net>	2015-10-30 17:52:33 +0530
commit	2354dd47acb346c3eca288611ae1b1edaa05a6e3 (patch)
tree	69ebb5d16683bc50d7fbb2b38efab08b8abc8d4c
parent	9c6541e84dda1cf2b89fc97f568c2ad4f5ae8ae4 (diff)
download	pulseaudio-2354dd47acb346c3eca288611ae1b1edaa05a6e3.tar.gz