audio/a2dp: Fix possible invalid reads In case the D-Bus endpoint needs to respond or select a configuration for SetConfiguration the setup given as user_data needs to be referenced as the setup can be aborted before there is a reply leading to crash like following the following: Invalid read of size 8 at 0x41B45E: select_cb (a2dp.c:1779) by 0x426881: select_cb (media.c:510) by 0x427A0F: endpoint_reply (media.c:315) by 0x53A7391: ??? (in /usr/lib64/libdbus-1.so.3.16.3) by 0x53AACDE: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.16.3) by 0x4C54EF: message_dispatch (mainloop.c:72) by 0x50C88E6: ??? (in /usr/lib64/libglib-2.0.so.0.5000.2) by 0x50CBE41: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5000.2) by 0x50CC1BF: ??? (in /usr/lib64/libglib-2.0.so.0.5000.2) by 0x50CC4E1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5000.2) by 0x40C85E: main (main.c:708) Address 0x9704de8 is 56 bytes inside a block of size 88 free'd at 0x4C2ED4A: free (vg_replace_malloc.c:530) by 0x50D16BD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.2) by 0x418FAA: setup_free (a2dp.c:166) by 0x418FAA: setup_unref (a2dp.c:178) by 0x41E3DE: a2dp_cancel (a2dp.c:2176) by 0x418244: sink_disconnect (sink.c:402) by 0x41C5B7: a2dp_sink_disconnect (a2dp.c:2344)

Diffstat

1 files changed, 13 insertions(+), 5 deletions(-)