diff options
| author | Tux3 / Mlkj / !Lev.uXFMLA <barrdetwix@gmail.com> | 2014-10-25 12:28:54 +0200 |
|---|---|---|
| committer | Tux3 / Mlkj / !Lev.uXFMLA <barrdetwix@gmail.com> | 2014-10-25 12:29:10 +0200 |
| commit | ea4320733f62c7b3ccc34edde6fc95043bb2d663 (patch) | |
| tree | 063053807bc2eccbd13ab752bace1f099df9a68d | |
| parent | 9878b441b1d2b175b20d28cc41406280e3cada31 (diff) | |
Fix use-after-free of toxav's TimerHandler
If msi.c:timer_terminate_session frees "handler", then when msi.c:timer_poll's thread resumes, there WILL be a use after free of "handler", with a likely segfault.
This use after free causes a crash in qTox, see tux3/qTox#534
| -rw-r--r-- | toxav/msi.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/toxav/msi.c b/toxav/msi.c index 7f390435..138c8d3f 100644 --- a/toxav/msi.c +++ b/toxav/msi.c | |||
| @@ -631,6 +631,7 @@ static void *timer_poll( void *arg ) | |||
| 631 | usleep(handler->resolution); | 631 | usleep(handler->resolution); |
| 632 | } | 632 | } |
| 633 | 633 | ||
| 634 | free(handler); | ||
| 634 | pthread_exit(NULL); | 635 | pthread_exit(NULL); |
| 635 | } | 636 | } |
| 636 | 637 | ||
| @@ -699,8 +700,6 @@ static void timer_terminate_session(TimerHandler *handler) | |||
| 699 | free(handler->timers); | 700 | free(handler->timers); |
| 700 | 701 | ||
| 701 | pthread_mutex_destroy( &handler->mutex ); | 702 | pthread_mutex_destroy( &handler->mutex ); |
| 702 | |||
| 703 | free(handler); | ||
| 704 | } | 703 | } |
| 705 | 704 | ||
| 706 | /** | 705 | /** |