Fix use-after-free bug for idxset free

[Version] 11.1.12
[Issue Type] Bug Fix

Change-Id: I342a61f69fd7f0705509f785dd82652839514262

diff --git a/packaging/pulseaudio-modules-tizen.spec b/packaging/pulseaudio-modules-tizen.spec
index 32385a7..a8e1351 100644 (file)
--- a/packaging/pulseaudio-modules-tizen.spec
+++ b/packaging/pulseaudio-modules-tizen.spec
@@ -1,6 +1,6 @@
 Name:             pulseaudio-modules-tizen
 Summary:          Pulseaudio modules for Tizen
-Version:          11.1.11
+Version:          11.1.12
 Release:          0
 Group:            Multimedia/Audio
 License:          LGPL-2.1+

diff --git a/src/stream-manager-dbus.c b/src/stream-manager-dbus.c
index 2a50e04..c989bb3 100644 (file)
--- a/src/stream-manager-dbus.c
+++ b/src/stream-manager-dbus.c
@@ -406,8 +406,6 @@ static void handle_set_stream_route_devices(DBusConnection *conn, DBusMessage *m
     uint32_t *out_device_list = NULL;
     int list_len_in = 0;
     int list_len_out = 0;
-    uint32_t idx = 0;
-    uint32_t *device_id = NULL;
     stream_parent *sp = NULL;
     DBusMessage *reply = NULL;
     pa_stream_manager *m = (pa_stream_manager*)userdata;
@@ -457,10 +455,7 @@ static void handle_set_stream_route_devices(DBusConnection *conn, DBusMessage *m
         goto finish;
     }
 
-    PA_IDXSET_FOREACH(device_id, sp->idx_route_in_devices, idx) {
-        pa_idxset_remove_by_data(sp->idx_route_in_devices, device_id, NULL);
-        pa_xfree(device_id);
-    }
+    pa_idxset_remove_all(sp->idx_route_in_devices, pa_xfree);
     if (in_device_list && list_len_in) {
         for (i = 0; i < list_len_in; i++) {
             pa_idxset_put(sp->idx_route_in_devices, pa_xmemdup(&in_device_list[i], sizeof(uint32_t)), NULL);
@@ -470,10 +465,7 @@ static void handle_set_stream_route_devices(DBusConnection *conn, DBusMessage *m
     if ((ret = update_devices_and_trigger_routing(m, sp, STREAM_SOURCE_OUTPUT)))
         goto finish;
 
-    PA_IDXSET_FOREACH(device_id, sp->idx_route_out_devices, idx) {
-        pa_idxset_remove_by_data(sp->idx_route_out_devices, device_id, NULL);
-        pa_xfree(device_id);
-    }
+    pa_idxset_remove_all(sp->idx_route_out_devices, pa_xfree);
     if (out_device_list && list_len_out) {
         for (i = 0; i < list_len_out; i++) {
             pa_idxset_put(sp->idx_route_out_devices, pa_xmemdup(&out_device_list[i], sizeof(uint32_t)), NULL);

diff --git a/src/stream-manager-volume.c b/src/stream-manager-volume.c
index a6b6fed..4804264 100644 (file)
--- a/src/stream-manager-volume.c
+++ b/src/stream-manager-volume.c
@@ -764,8 +764,6 @@ int32_t init_volumes(pa_stream_manager *m) {
 void deinit_volumes(pa_stream_manager *m) {
     volume_info *v = NULL;
     void *state = NULL;
-    uint32_t idx = 0;
-    double *level = NULL;
     double *gain = NULL;
     int i = 0;
 
@@ -774,11 +772,8 @@ void deinit_volumes(pa_stream_manager *m) {
     if (m->volume_infos) {
         PA_HASHMAP_FOREACH(v, m->volume_infos, state) {
             for (i = 0; i < STREAM_DIRECTION_MAX; i++) {
-                if (v->values[i].idx_volume_values) {
-                    PA_IDXSET_FOREACH(level, v->values[i].idx_volume_values, idx)
-                        pa_xfree(level);
-                    pa_idxset_free(v->values[i].idx_volume_values, NULL);
-                }
+                if (v->values[i].idx_volume_values)
+                    pa_idxset_free(v->values[i].idx_volume_values, pa_xfree);
             }
         }
     }

diff --git a/src/stream-manager.c b/src/stream-manager.c
index f88750b..2cc79d1 100644 (file)
--- a/src/stream-manager.c
+++ b/src/stream-manager.c
@@ -2994,8 +2994,6 @@ static void subscribe_cb(pa_core *core, pa_subscription_event_type_t t, uint32_t
     pa_client *client = NULL;
     stream_parent *sp = NULL;
     const char *name = NULL;
-    uint32_t *device_id = NULL;
-    uint32_t _idx = 0;
 
     pa_core_assert_ref(core);
     pa_assert(m);
@@ -3027,16 +3025,12 @@ static void subscribe_cb(pa_core *core, pa_subscription_event_type_t t, uint32_t
         if (sp) {
             pa_log_debug(" - remove sp(%p), idx(%u)", sp, idx);
             pa_hashmap_remove(m->stream_parents, (const void*)idx);
-            if (sp->idx_route_in_devices)
-                PA_IDXSET_FOREACH(device_id, sp->idx_route_in_devices, _idx)
-                    pa_xfree(device_id);
-            if (sp->idx_route_out_devices)
-                PA_IDXSET_FOREACH(device_id, sp->idx_route_out_devices, _idx)
-                    pa_xfree(device_id);
             pa_idxset_free(sp->idx_sink_inputs, NULL);
             pa_idxset_free(sp->idx_source_outputs, NULL);
-            pa_idxset_free(sp->idx_route_in_devices, NULL);
-            pa_idxset_free(sp->idx_route_out_devices, NULL);
+            if (sp->idx_route_in_devices)
+                pa_idxset_free(sp->idx_route_in_devices, pa_xfree);
+            if (sp->idx_route_out_devices)
+                pa_idxset_free(sp->idx_route_out_devices, pa_xfree);
             pa_xfree(sp);
         } else {
             pa_log_error(" - could not find any stream_parent that has idx(%u)", idx);