Fix use-after-free bug for idxset free

[Version] 5.0.176
[Issue Type] Bug Fix

Change-Id: I342a61f69fd7f0705509f785dd82652839514262

diff --git a/packaging/pulseaudio-modules-tizen.spec b/packaging/pulseaudio-modules-tizen.spec
index 0dab3be89ab459a3d765f77a90bf32426aae1e66..15e01ee037c157ffd7324ff66fc05977ac7d8bf7 100644 (file)
--- a/packaging/pulseaudio-modules-tizen.spec
+++ b/packaging/pulseaudio-modules-tizen.spec
@@ -1,6 +1,6 @@
 Name:             pulseaudio-modules-tizen
 Summary:          Pulseaudio modules for Tizen
-Version:          5.0.175
+Version:          5.0.176
 Release:          0
 Group:            Multimedia/Audio
 License:          LGPL-2.1+

diff --git a/src/stream-manager-dbus.c b/src/stream-manager-dbus.c
index 39edf87ba8b4f4932bb035e1d761e6acec9c313b..a50aaa68adc910c8540d5e82218003cbc00f9f33 100644 (file)
--- a/src/stream-manager-dbus.c
+++ b/src/stream-manager-dbus.c
@@ -406,8 +406,6 @@ static void handle_set_stream_route_devices(DBusConnection *conn, DBusMessage *m
     uint32_t *out_device_list = NULL;
     int list_len_in = 0;
     int list_len_out = 0;
-    uint32_t idx = 0;
-    uint32_t *device_id = NULL;
     stream_parent *sp = NULL;
     DBusMessage *reply = NULL;
     pa_stream_manager *m = (pa_stream_manager*)userdata;
@@ -457,10 +455,7 @@ static void handle_set_stream_route_devices(DBusConnection *conn, DBusMessage *m
         goto finish;
     }
 
-    PA_IDXSET_FOREACH(device_id, sp->idx_route_in_devices, idx) {
-        pa_idxset_remove_by_data(sp->idx_route_in_devices, device_id, NULL);
-        pa_xfree(device_id);
-    }
+    pa_idxset_remove_all(sp->idx_route_in_devices, pa_xfree);
     if (in_device_list && list_len_in) {
         for (i = 0; i < list_len_in; i++) {
             pa_idxset_put(sp->idx_route_in_devices, pa_xmemdup(&in_device_list[i], sizeof(uint32_t)), NULL);
@@ -470,10 +465,7 @@ static void handle_set_stream_route_devices(DBusConnection *conn, DBusMessage *m
     if ((ret = update_devices_and_trigger_routing(m, sp, STREAM_SOURCE_OUTPUT)))
         goto finish;
 
-    PA_IDXSET_FOREACH(device_id, sp->idx_route_out_devices, idx) {
-        pa_idxset_remove_by_data(sp->idx_route_out_devices, device_id, NULL);
-        pa_xfree(device_id);
-    }
+    pa_idxset_remove_all(sp->idx_route_out_devices, pa_xfree);
     if (out_device_list && list_len_out) {
         for (i = 0; i < list_len_out; i++) {
             pa_idxset_put(sp->idx_route_out_devices, pa_xmemdup(&out_device_list[i], sizeof(uint32_t)), NULL);

diff --git a/src/stream-manager-volume.c b/src/stream-manager-volume.c
index dc9e535706ac982c4e1482f5f6131e7de8aa3873..bb88915d0fe4fceec44aeda6b4368f3b1152d85a 100644 (file)
--- a/src/stream-manager-volume.c
+++ b/src/stream-manager-volume.c
@@ -764,8 +764,6 @@ int32_t init_volumes(pa_stream_manager *m) {
 void deinit_volumes(pa_stream_manager *m) {
     volume_info *v = NULL;
     void *state = NULL;
-    uint32_t idx = 0;
-    double *level = NULL;
     double *gain = NULL;
     int i = 0;
 
@@ -774,11 +772,8 @@ void deinit_volumes(pa_stream_manager *m) {
     if (m->volume_infos) {
         PA_HASHMAP_FOREACH(v, m->volume_infos, state) {
             for (i = 0; i < STREAM_DIRECTION_MAX; i++) {
-                if (v->values[i].idx_volume_values) {
-                    PA_IDXSET_FOREACH(level, v->values[i].idx_volume_values, idx)
-                        pa_xfree(level);
-                    pa_idxset_free(v->values[i].idx_volume_values, NULL);
-                }
+                if (v->values[i].idx_volume_values)
+                    pa_idxset_free(v->values[i].idx_volume_values, pa_xfree);
             }
         }
     }

diff --git a/src/stream-manager.c b/src/stream-manager.c
index c6a7d2645071fc163975490e17f079781ffa4491..e8f0d1d0e9343def1ce915b3ff2c9960df2d6550 100644 (file)
--- a/src/stream-manager.c
+++ b/src/stream-manager.c
@@ -2990,8 +2990,6 @@ static void subscribe_cb(pa_core *core, pa_subscription_event_type_t t, uint32_t
     pa_client *client = NULL;
     stream_parent *sp = NULL;
     const char *name = NULL;
-    uint32_t *device_id = NULL;
-    uint32_t _idx = 0;
 
     pa_core_assert_ref(core);
     pa_assert(m);
@@ -3023,16 +3021,12 @@ static void subscribe_cb(pa_core *core, pa_subscription_event_type_t t, uint32_t
         if (sp) {
             pa_log_debug(" - remove sp(%p), idx(%u)", sp, idx);
             pa_hashmap_remove(m->stream_parents, (const void*)idx);
-            if (sp->idx_route_in_devices)
-                PA_IDXSET_FOREACH(device_id, sp->idx_route_in_devices, _idx)
-                    pa_xfree(device_id);
-            if (sp->idx_route_out_devices)
-                PA_IDXSET_FOREACH(device_id, sp->idx_route_out_devices, _idx)
-                    pa_xfree(device_id);
             pa_idxset_free(sp->idx_sink_inputs, NULL);
             pa_idxset_free(sp->idx_source_outputs, NULL);
-            pa_idxset_free(sp->idx_route_in_devices, NULL);
-            pa_idxset_free(sp->idx_route_out_devices, NULL);
+            if (sp->idx_route_in_devices)
+                pa_idxset_free(sp->idx_route_in_devices, pa_xfree);
+            if (sp->idx_route_out_devices)
+                pa_idxset_free(sp->idx_route_out_devices, pa_xfree);
             pa_xfree(sp);
         } else {
             pa_log_error(" - could not find any stream_parent that has idx(%u)", idx);