From c19c7df0e78f50c168b006fc86318025e5692a6d Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 23 Jan 2014 19:59:58 +0200 Subject: [PATCH] android/A2DP: Fix invalid read after unregistering an endpoint The endpoint is unregistered but it was still accessible via endpoints list causing the following trace when audio HAL is closed: Invalid read of size 8 at 0x414A49: unregister_endpoint (a2dp.c:114) by 0x3862466477: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x386246649A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x414985: audio_disconnected (a2dp.c:1446) by 0x40FD5C: audio_watch_cb (audio-ipc.c:79) by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x4034D5: main (main.c:449) Address 0x4cd5e68 is 8 bytes inside a block of size 32 free'd at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x386244EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x4159FD: bt_audio_close (a2dp.c:1296) by 0x40F629: ipc_handle_msg (ipc.c:95) by 0x40FD9F: audio_watch_cb (audio-ipc.c:67) by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x4034D5: main (main.c:449) --- android/a2dp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/android/a2dp.c b/android/a2dp.c index 572e0d120..0326b1953 100644 --- a/android/a2dp.c +++ b/android/a2dp.c @@ -1293,6 +1293,7 @@ static void bt_audio_close(const void *buf, uint16_t len) return; } + endpoints = g_slist_remove(endpoints, endpoint); unregister_endpoint(endpoint); audio_ipc_send_rsp(AUDIO_OP_CLOSE, AUDIO_STATUS_SUCCESS); -- 2.47.3