From 7bf1dd543b37efde77946ec866dc27df5ef5754f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Thu, 18 Mar 2021 17:43:58 +0100 Subject: [PATCH] conf: Fix invalid free at parse_args() The previous fix for memory leaks introduced a few regression. The major one is the assert hit in the error path reaching with NULL or uninitialized sub object. Also, in other code paths, it's possible that an already released sub object gets freed again. Fix those bugs by initializing the sub object properly and add a NULL check before calling snd_config_delete(). Fixes: ad5f255b4767 ("conf: fix memory leak on the error path in parse_args()") Reported-and-tested-by: Mark Hills Signed-off-by: Takashi Iwai --- src/conf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/conf.c b/src/conf.c index 14b14b59..1bcd65c8 100644 --- a/src/conf.c +++ b/src/conf.c @@ -5080,6 +5080,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs) const char *new = str; const char *tmp; char *val = NULL; + + sub = NULL; err = parse_arg(&new, &varlen, &val); if (err < 0) goto _err; @@ -5104,6 +5106,7 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs) err = snd_config_search(subs, var, &sub); if (err >= 0) snd_config_delete(sub); + sub = NULL; err = snd_config_search(def, "type", &typ); if (err < 0) { _invalid_type: @@ -5169,7 +5172,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs) err = snd_config_add(subs, sub); if (err < 0) { _err: - snd_config_delete(sub); + if (sub) + snd_config_delete(sub); free(val); return err; } -- 2.47.1