[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 1/2] Fix use-after-free in src/server/speaking.c.
From: |
Christopher Brannon |
Subject: |
[PATCH 1/2] Fix use-after-free in src/server/speaking.c. |
Date: |
Wed, 27 Aug 2014 22:53:48 -0700 |
When current_message was resumed from the list of paused messages, it
was being freed, even though it had been re-added to the message
queues.
---
src/server/speaking.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/server/speaking.c b/src/server/speaking.c
index 5d46cde..b385473 100644
--- a/src/server/speaking.c
+++ b/src/server/speaking.c
@@ -155,6 +155,13 @@ void *speak(void *data)
MSG(5, "Reloading message");
reload_message((TSpeechDMessage
*) gl->data);
+/* If this resumed message is the same as current_message, then it gets
+ * another trip through the queue. However, some code later in this
+ * function will free current_message, even though it is now requeued!
+ * Hence use-after-free.
+ * current_message is pretty useless after the requeue, make it NULL. */
+ if (current_message == gl->data)
+ current_message = NULL;
} else
break;
}
--
1.8.5.5
- [PATCH 1/2] Fix use-after-free in src/server/speaking.c.,
Christopher Brannon <=