speechd-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 1/2] Fix use-after-free in src/server/speaking.c.


From: Christopher Brannon
Subject: [PATCH 1/2] Fix use-after-free in src/server/speaking.c.
Date: Wed, 27 Aug 2014 22:53:48 -0700

When current_message was resumed from the list of paused messages, it
was being freed, even though it had been re-added to the message
queues.
---
 src/server/speaking.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/server/speaking.c b/src/server/speaking.c
index 5d46cde..b385473 100644
--- a/src/server/speaking.c
+++ b/src/server/speaking.c
@@ -155,6 +155,13 @@ void *speak(void *data)
                                                MSG(5, "Reloading message");
                                                reload_message((TSpeechDMessage
                                                                *) gl->data);
+/* If this resumed message is the same as current_message, then it gets
+ * another trip through the queue.  However, some code later in this
+ * function will free current_message, even though it is now requeued!
+ * Hence use-after-free.
+ * current_message is pretty useless after the requeue, make it NULL. */
+                                               if (current_message == gl->data)
+                                                       current_message = NULL;
                                        } else
                                                break;
                                }
-- 
1.8.5.5




reply via email to

[Prev in Thread] Current Thread [Next in Thread]