Review Request 127840: phonon: Avoid use-after-free after enumerating pulseaudio devices

Michael Pyne mpyne at kde.org
Thu May 5 03:07:43 BST 2016


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/127840/
-----------------------------------------------------------

Review request for Phonon.


Repository: phonon


Description
-------

Coverity notes (CID 1336170) there's a potential use-after-free in the PulseAudio support code (pulsesupport.cpp:472 uses `u`, which may have been deleted at pulsesupport.cpp:408 if this was the last time the callback needed to be run).

Since there are some interesting git commits trying to troubleshoot corruption of the data being used at :472 (e.g. 23954b3c2ba3401f6c9843eb0490d7cc26598395, 71e136457c3a609b4af86de083d2dbb44a858f84 investigating a crash followed by 2671a170bef5196d55649a26a9cd5e108acb931b removing some of the extra asserts), I'm assuming this has actually happened at least some of the time.

The problem with fixing is that the lifetime of the `userdata` must be dynamic since (from what I can tell), the callback can be called multiple times. So as long as the `info` block is filled in before the very last callback is made, things would seem to work fine and there's no problem using `u`.

The fix is as simple as delaying the delete call to just before the function return once you're past the `if (eol)` block. Since there are multiple return points I opted to make a very simple scope guard class that should do the right thing without needing multiple levels of indirection. But it wouldn't be hard just to manually delete in the right spots either and remove the existing `delete u`.


Diffs
-----

  phonon/pulsesupport.cpp 6594c61 

Diff: https://git.reviewboard.kde.org/r/127840/diff/


Testing
-------

I don't actually have PulseAudio so to be honest I'm not even sure if this compiles...


Thanks,

Michael Pyne

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-multimedia/attachments/20160505/2402334b/attachment.htm>
-------------- next part --------------
_______________________________________________
kde-multimedia mailing list
kde-multimedia at kde.org
https://mail.kde.org/mailman/listinfo/kde-multimedia


More information about the kde-multimedia mailing list