Fix use-after-free bug issued by ASAN

author Seungbae Shin <seungbae.shin@samsung.com>

Thu, 28 Jun 2018 12:11:08 +0000 (21:11 +0900)

committer Seungbae Shin <seungbae.shin@samsung.com>

Mon, 2 Jul 2018 05:20:39 +0000 (14:20 +0900)
author Seungbae Shin <seungbae.shin@samsung.com>
Thu, 28 Jun 2018 12:11:08 +0000 (21:11 +0900)
committer Seungbae Shin <seungbae.shin@samsung.com>
Mon, 2 Jul 2018 05:20:39 +0000 (14:20 +0900)
diff --git a/packaging/libmm-sound.spec b/packaging/libmm-sound.spec

index ab317b0..94b4433 100644 (file)
--- a/packaging/libmm-sound.spec
+++ b/packaging/libmm-sound.spec
@@ -1,6 +1,6 @@
  Name:       libmm-sound
  Summary:    MMSound Package contains client lib and sound_server binary
-Version:    0.12.20
+Version:    0.12.21
  Release:    0
  Group:      System/Libraries
  License:    Apache-2.0
diff --git a/server/plugin/tone/mm_sound_plugin_codec_tone.c b/server/plugin/tone/mm_sound_plugin_codec_tone.c

index 6b31981..aa403fd 100644 (file)
--- a/server/plugin/tone/mm_sound_plugin_codec_tone.c
+++ b/server/plugin/tone/mm_sound_plugin_codec_tone.c
@@ -104,6 +104,7 @@ typedef struct {
         int pid;
  
         int thread_state;
+       bool *is_stop_request_done;
  } tone_info_t;
  
  typedef enum {
@@ -850,6 +851,10 @@ int MMSoundPlugCodecToneDestroy(MMHandleType handle)
  
         debug_enter("(handle %p)", handle);
  
+       /* if the stop is request done ptr is valid, then inform the result */
+       if (toneInfo->is_stop_request_done)
+               *(toneInfo->is_stop_request_done) = true;
+
         pthread_mutex_destroy(&toneInfo->mutex);
         if (toneInfo)
                 free(toneInfo);
@@ -1159,6 +1164,7 @@ static
  int MMSoundPlugCodecToneStop(MMHandleType handle)
  {
         tone_info_t *toneInfo = (tone_info_t*) handle;
+       bool is_stop_request_done = false;
  
         debug_enter("(handle %p)", handle);
         pthread_mutex_lock(&toneInfo->mutex);
@@ -1168,12 +1174,14 @@ int MMSoundPlugCodecToneStop(MMHandleType handle)
                 debug_msg("state(%d) is already STOP or NONE. return", toneInfo->state);
                 return MM_ERROR_NONE;
         }
+       toneInfo->is_stop_request_done = &is_stop_request_done;
         toneInfo->state = STATE_STOP;
         toneInfo->thread_state = THREAD_STATE_STOP;
         pthread_mutex_unlock(&toneInfo->mutex);
         debug_msg("sent stop signal");
  
-       while (toneInfo->state != STATE_NONE)
+       /* check whether stop is actually finished */
+       while (is_stop_request_done == false)
                 usleep(30000);
  
         debug_leave();
author	Seungbae Shin <seungbae.shin@samsung.com>
	Thu, 28 Jun 2018 12:11:08 +0000 (21:11 +0900)
committer	Seungbae Shin <seungbae.shin@samsung.com>
	Mon, 2 Jul 2018 05:20:39 +0000 (14:20 +0900)
packaging/libmm-sound.spec		patch \| blob \| history
server/plugin/tone/mm_sound_plugin_codec_tone.c		patch \| blob \| history