From c96e167bcedfb91526780f7da86fc0872017119d Mon Sep 17 00:00:00 2001
From: Kui Wang <wangkuisuper@hotmail.com>
Date: Thu, 13 Jul 2017 19:33:05 +0000
Subject: [PATCH] pulse: prevent double-free when pulse_hw_constraint returns
 error

When pulse_hw_constraint returns error, snd_pcm_ioplug_delete() is called.
It will then call pulse_close() where "snd_pcm_pulse_t *pcm" will be free.
Then if goto the "error" label, the "snd_pcm_pulse_t *pcm" will be double-free.

To prevent this, just jump over the code which might cause double-free.

Signed-off-by: Kui Wang <wangkuisuper@hotmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 pulse/pcm_pulse.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pulse/pcm_pulse.c b/pulse/pcm_pulse.c
index 5cb3452..a8983c6 100644
--- a/pulse/pcm_pulse.c
+++ b/pulse/pcm_pulse.c
@@ -1143,7 +1143,7 @@ SND_PCM_PLUGIN_DEFINE_FUNC(pulse)
 	err = pulse_hw_constraint(pcm);
 	if (err < 0) {
 		snd_pcm_ioplug_delete(&pcm->io);
-		goto error;
+		goto error2;
 	}
 
 	*pcmp = pcm->io.pcm;
@@ -1156,6 +1156,7 @@ error:
 	free(pcm->device);
 	free(pcm);
 
+error2:
 	if (fallback_name)
 		return snd_pcm_open_fallback(pcmp, root, fallback_name, name,
 					     stream, mode);
-- 
2.47.1