From 7f26eab8eb1977dec9e9e1b0d96aa999bfe18528 Mon Sep 17 00:00:00 2001 From: Szymon Janc Date: Wed, 4 Jun 2014 19:41:08 +0200 Subject: [PATCH] shared/hfp: Fix crash due to invalid free If there are no characters before '\r' memchr() will return pointer matching passed string. This will results either in double free (if '\r' happen to be the first byte in ringbuffer buffer) or in freeing pointer inside ringbuffer buffer (if '\r' is not the first byte). --- src/shared/hfp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/shared/hfp.c b/src/shared/hfp.c index 36c8c3e2f..196e77720 100644 --- a/src/shared/hfp.c +++ b/src/shared/hfp.c @@ -381,6 +381,7 @@ static void process_input(struct hfp_gw *hfp) { char *str, *ptr; size_t len, count; + bool free_ptr = false; str = ringbuf_peek(hfp->read_buf, 0, &len); if (!str) @@ -407,6 +408,7 @@ static void process_input(struct hfp_gw *hfp) *ptr = '\0'; count = asprintf(&ptr, "%s%s", str, str2); + free_ptr = true; str = ptr; } else { count = ptr - str; @@ -424,7 +426,7 @@ static void process_input(struct hfp_gw *hfp) len = ringbuf_drain(hfp->read_buf, count + 1); - if (str == ptr) + if (free_ptr) free(ptr); } -- 2.47.3