From 8da3f380860e104e371a9e20bdb2b1fe7746abf6 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 6 Feb 2014 14:00:56 +0200
Subject: [PATCH] android/A2DP: Fix invalid read

Invalid read of size 8
   at 0x30EE465A78: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x418209: bt_a2dp_unregister (a2dp.c:1576)
   by 0x4039E6: main (main.c:347)
 Address 0x4f2d248 is 8 bytes inside a block of size 16 free'd
   at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x30EE44EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x30EE4655CA: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x30EE465F0C: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x41645F: a2dp_device_free (a2dp.c:174)
   by 0x30EE466477: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x30EE46649A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.3800.2)
   by 0x418209: bt_a2dp_unregister (a2dp.c:1576)
   by 0x4039E6: main (main.c:347)
---
 android/a2dp.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/android/a2dp.c b/android/a2dp.c
index 731fa1623..8cff5357b 100644
--- a/android/a2dp.c
+++ b/android/a2dp.c
@@ -171,10 +171,15 @@ static void a2dp_device_free(void *data)
 
 	setup_remove_all_by_dev(dev);
 
-	devices = g_slist_remove(devices, dev);
 	g_free(dev);
 }
 
+static void a2dp_device_remove(struct a2dp_device *dev)
+{
+	devices = g_slist_remove(devices, dev);
+	a2dp_device_free(dev);
+}
+
 static struct a2dp_device *a2dp_device_new(const bdaddr_t *dst)
 {
 	struct a2dp_device *dev;
@@ -229,7 +234,7 @@ static void bt_a2dp_notify_state(struct a2dp_device *dev, uint8_t state)
 
 	bt_avrcp_disconnect(&dev->dst);
 
-	a2dp_device_free(dev);
+	a2dp_device_remove(dev);
 }
 
 static void bt_audio_notify_state(struct a2dp_setup *setup, uint8_t state)
@@ -579,7 +584,7 @@ static void bt_a2dp_connect(const void *buf, uint16_t len)
 
 	dev = a2dp_device_new(&dst);
 	if (!a2dp_device_connect(dev, signaling_connect_cb)) {
-		a2dp_device_free(dev);
+		a2dp_device_remove(dev);
 		status = HAL_STATUS_FAILED;
 		goto failed;
 	}
-- 
2.47.3