From eccb09141dd9d704cf43d13cdfb32fd0d8d7efd2 Mon Sep 17 00:00:00 2001
From: Hwankyu Jhun <h.jhun@samsung.com>
Date: Wed, 5 Jun 2019 17:51:29 +0900
Subject: [PATCH] Fix invalid access

If the process uses the aul_svc_run_service_for_uid() function in the
thread, the result callback info handle is deleted in the main thread when
the callee application sends a result immediately.

 - Memcheck report
+------------------------------------------------------------------------------+
| Thread 4:                                                                    |
| Invalid write of size 4                                                      |
|   at 0x50F7594: __launch_app_with_result (launch_with_result.c:337)          |
|   by 0x50F7781: aul_launch_app_with_result_for_uid (launch_with_result.c:357)|
|   by 0x50FA777: __run_svc_with_pkgname (service.c:247)                       |
|   by 0x50FAE37: __run_service (service.c:896)                                |
|   by 0x50FB743: aul_svc_run_service_for_uid (service.c:1171)                 |
| Address 0x5a57b58 is 0 bytes inside a block of size 24 free'd                |
|   at 0x4846EC8: free (vg_replace_malloc.c:530)                               |
|   by 0x50F73C5: __call_app_result_callback (launch_with_result.c:207)        |
|   by 0x50F7741: app_result (launch_with_result.c:295)                        |
| Block was alloc'd at                                                         |
|   at 0x48458A4: malloc (vg_replace_malloc.c:299)                             |
|   by 0x50F71FF: __create_resultcb (launch_with_result.c:128)                 |
|   by 0x50F7575: __launch_app_with_result (launch_with_result.c:329)          |
|   by 0x50F7781: aul_launch_app_with_result_for_uid (launch_with_result.c:357)|
+------------------------------------------------------------------------------+

Change-Id: I9cf4704e8bf949d136e810004e5e89680e547e24
Signed-off-by: Hwankyu Jhun <h.jhun@samsung.com>
---
 src/launch_with_result.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/launch_with_result.c b/src/launch_with_result.c
index 7eb856a..826cbc7 100644
--- a/src/launch_with_result.c
+++ b/src/launch_with_result.c
@@ -288,16 +288,18 @@ static int __launch_app_with_result(int cmd, const char *appid, bundle *kb,
 	info = __create_resultcb(-1, seq_num, callback, NULL, data);
 	if (info)
 		__add_resultcb(info);
-	free(seq_num);
 
 	ret = app_request_to_launchpad_for_uid(cmd, appid, kb, uid);
-	if (ret > 0) {
-		if (info)
+	info = __find_resultcb(seq_num);
+	if (info) {
+		if (ret > 0) {
 			info->launched_pid = ret;
-	} else {
-		__remove_resultcb(info);
-		__destroy_resultcb(info);
+		} else {
+			__remove_resultcb(info);
+			__destroy_resultcb(info);
+		}
 	}
+	free(seq_num);
 
 	return ret;
 }
-- 
2.7.4