projects / platform / core / multimedia / mmsvc-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a3001fb)
Fix heap-use-after-free 51/284751/1 submit/tizen_7.0/20221128.071431
authorYoungHun Kim <yh8004.kim@samsung.com>
Thu, 24 Nov 2022 02:37:34 +0000 (11:37 +0900)
committerYoungHun Kim <yh8004.kim@samsung.com>
Fri, 25 Nov 2022 04:30:20 +0000 (04:30 +0000)
 - Module released by _ms_ipc_module_cleanup() could be used again in ms_ipc_create_msg_dispatch_worker
 - Put into protected critical section for ms_ipc_create_msg_dispatch_worker()

Change-Id: Id68e77b5da8db91f132429bed230be03895c6857
(cherry picked from commit 058994db9f317410c10cad5d05ef283677d07056)

packaging/mused.spec patch | blob | history
server/src/muse_server_ipc.c patch | blob | history

diff --git a/packaging/mused.spec b/packaging/mused.spec
index c0c3fed99b12adf9dd982e009ac49003b6dbc265..ab0583d6c53d8aa7cb3089bf087783077f0c1a9e 100644 (file)
--- a/packaging/mused.spec
+++ b/packaging/mused.spec
@@ -1,6 +1,6 @@
 Name:       mused
 Summary:    A multimedia daemon
-Version:    0.3.156
+Version:    0.3.157
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0
diff --git a/server/src/muse_server_ipc.c b/server/src/muse_server_ipc.c
index 6723c4c0de36e01297028a4e2bf82264644cff2f..e8e8e711f88f64f603487cf6d278fb7c0819e72d 100644 (file)
--- a/server/src/muse_server_ipc.c
+++ b/server/src/muse_server_ipc.c
@@ -421,12 +421,19 @@ gboolean ms_ipc_create_msg_dispatch_worker(muse_module_h m)
        GError *error = NULL;
        muse_server_h ms = ms_get_instance();
 
+       ms_connection_t *connection = NULL;
+
        LOGD("Enter %p", m);
 
        muse_return_val_if_fail(ms, FALSE);
        muse_return_val_if_fail(ms_is_server_ready(), FALSE);
        muse_return_val_if_fail(muse_server_module_is_valid(m), FALSE);
 
+       connection = ms->connection;
+       muse_return_val_if_fail(connection, FALSE);
+
+       ms_connection_lock(connection);
+
        SECURE_LOGD("[PID %d module %p] module's msg channel fd : %d", m->pid, m, m->ch[MUSE_CHANNEL_MSG].sock_fd);
 
        thread = g_thread_try_new(MSG_THREAD_NAME, _ms_ipc_dispatch_worker, (gpointer)m, &error);
@@ -434,11 +441,14 @@ gboolean ms_ipc_create_msg_dispatch_worker(muse_module_h m)
                LOGE("[module %p] thread creation failed : %s", m, error->message);
                g_error_free(error);
                ms_log_process_info(ms->pid);
+               ms_connection_unlock(connection);
                return FALSE;
        }
 
        LOGD("Leave module %p thread %p", m, thread);
 
+       ms_connection_unlock(connection);
+
        return TRUE;
 }
 
Domain: Multimedia / Media Common;