From: Kui Wang <wangkuisuper@hotmail.com>
Date: Thu, 13 Jul 2017 19:33:05 +0000 (+0000)
Subject: pulse: prevent double-free when pulse_hw_constraint returns error
X-Git-Tag: v1.1.5~1
X-Git-Url: https://git.alsa-project.org/?a=commitdiff_plain;h=c96e167bcedfb91526780f7da86fc0872017119d;p=alsa-plugins.git

pulse: prevent double-free when pulse_hw_constraint returns error

When pulse_hw_constraint returns error, snd_pcm_ioplug_delete() is called.
It will then call pulse_close() where "snd_pcm_pulse_t *pcm" will be free.
Then if goto the "error" label, the "snd_pcm_pulse_t *pcm" will be double-free.

To prevent this, just jump over the code which might cause double-free.

Signed-off-by: Kui Wang <wangkuisuper@hotmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---

diff --git a/pulse/pcm_pulse.c b/pulse/pcm_pulse.c
index 5cb3452..a8983c6 100644
--- a/pulse/pcm_pulse.c
+++ b/pulse/pcm_pulse.c
@@ -1143,7 +1143,7 @@ SND_PCM_PLUGIN_DEFINE_FUNC(pulse)
 	err = pulse_hw_constraint(pcm);
 	if (err < 0) {
 		snd_pcm_ioplug_delete(&pcm->io);
-		goto error;
+		goto error2;
 	}
 
 	*pcmp = pcm->io.pcm;
@@ -1156,6 +1156,7 @@ error:
 	free(pcm->device);
 	free(pcm);
 
+error2:
 	if (fallback_name)
 		return snd_pcm_open_fallback(pcmp, root, fallback_name, name,
 					     stream, mode);