projects / platform / upstream / pulseaudio.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 92219b0)
Avoid read from freed memory
authorMaarten Bosmans <mkbosmans@gmail.com>
Sat, 13 Aug 2011 11:43:21 +0000 (13:43 +0200)
committerColin Guthrie <colin@mageia.org>
Mon, 15 Aug 2011 08:41:56 +0000 (09:41 +0100)
The order of freeing the hashmaps is important here, because otherwise a string used as key is freed before the hashmap
is freed.

Valgrind reports this as:
 Invalid read of size 1
    at 0x4107042: pa_idxset_string_hash_func (idxset.c:67)
    by 0x4106026: remove_entry (hashmap.c:93)
    by 0x41061BF: pa_hashmap_free (hashmap.c:110)
    by 0x71DD143: pa_dbusiface_core_free (iface-core.c:2105)
    by 0x71F2169: module_dbus_protocol_LTX_pa__done (module-dbus-protocol.c:595)
    by 0x406DC51: pa_module_free (module.c:162)
    by 0x406E01D: pa_module_unload_all (module.c:210)
    by 0x4068842: core_free (core.c:169)
    by 0x406FD5D: pa_object_unref (object.c:64)
    by 0x805224D: pa_core_unref (core.h:184)
    by 0x805560B: main (main.c:1159)
  Address 0x4d099c0 is 0 bytes inside a block of size 100 free'd
    at 0x4025BF0: free (vg_replace_malloc.c:366)
    by 0x40F128C: pa_xfree (xmalloc.c:131)
    by 0x71E4CEB: pa_dbusiface_device_free (iface-device.c:1293)
    by 0x71DCD7E: free_device_cb (iface-core.c:2062)
    by 0x41061D7: pa_hashmap_free (hashmap.c:113)
    by 0x71DD125: pa_dbusiface_core_free (iface-core.c:2104)
    by 0x71F2169: module_dbus_protocol_LTX_pa__done (module-dbus-protocol.c:595)
    by 0x406DC51: pa_module_free (module.c:162)
    by 0x406E01D: pa_module_unload_all (module.c:210)
    by 0x4068842: core_free (core.c:169)
    by 0x406FD5D: pa_object_unref (object.c:64)
    by 0x805224D: pa_core_unref (core.h:184)

src/modules/dbus/iface-core.c patch | blob | history

diff --git a/src/modules/dbus/iface-core.c b/src/modules/dbus/iface-core.c
index bb43df9..042ca3b 100644 (file)
--- a/src/modules/dbus/iface-core.c
+++ b/src/modules/dbus/iface-core.c
@@ -2099,12 +2099,14 @@ void pa_dbusiface_core_free(pa_dbusiface_core *c) {
 
     pa_assert_se(pa_dbus_protocol_remove_interface(c->dbus_protocol, PA_DBUS_CORE_OBJECT_PATH, core_interface_info.name) >= 0);
 
+    /* Note that the order of freeing is important below.
+     * Do not change it for the sake of tidiness without checking! */
     pa_subscription_free(c->subscription);
     pa_hashmap_free(c->cards, free_card_cb, NULL);
-    pa_hashmap_free(c->sinks_by_index, free_device_cb, NULL);
     pa_hashmap_free(c->sinks_by_path, NULL, NULL);
-    pa_hashmap_free(c->sources_by_index, free_device_cb, NULL);
+    pa_hashmap_free(c->sinks_by_index, free_device_cb, NULL);
     pa_hashmap_free(c->sources_by_path, NULL, NULL);
+    pa_hashmap_free(c->sources_by_index, free_device_cb, NULL);
     pa_hashmap_free(c->playback_streams, free_stream_cb, NULL);
     pa_hashmap_free(c->record_streams, free_stream_cb, NULL);
     pa_hashmap_free(c->samples, free_sample_cb, NULL);
Domain: Multimedia / Audio FW;