Fix use-after-free in audio frag overlap

author David Woodhouse <dwmw@amazon.co.uk>

Fri, 26 Jul 2024 07:47:50 +0000 (08:47 +0100)

committer David Woodhouse <dwmw@amazon.co.uk>

Fri, 26 Jul 2024 07:48:21 +0000 (08:48 +0100)
author David Woodhouse <dwmw@amazon.co.uk>
Fri, 26 Jul 2024 07:47:50 +0000 (08:47 +0100)
committer David Woodhouse <dwmw@amazon.co.uk>
Fri, 26 Jul 2024 07:48:21 +0000 (08:48 +0100)
diff --git a/chime/chime-call-audio.c b/chime/chime-call-audio.c

index a74fc0f9428d595b26c958b5775b6bbdbbd1c822..95a268294f3c01300db69767bc310cc61ac55241 100644 (file)
--- a/chime/chime-call-audio.c
+++ b/chime/chime-call-audio.c
@@ -341,6 +341,7 @@ static gboolean idle_send_ack(gpointer _audio)
  static gboolean insert_frag(struct message_buf *m, gint32 start, gint32 end)
  {
         struct message_frag **f = &m->frags, *nf;
+//     printf("Insert frag %d-%d\n", start, end);
         while (*f) {
                 if (end < (*f)->start) {
                         /* Insert before *f */
@@ -352,8 +353,8 @@ static gboolean insert_frag(struct message_buf *m, gint32 start, gint32 end)
                         /* ... and merge subsequent frags that we now touch */
                         if (end > (*f)->end) {
                                 (*f)->end = end;
-                               nf = (*f)->next;
-                               while ((*f)->next && nf->start <= (*f)->end) {
+                               while ((nf = (*f)->next) &&
+                                      nf->start <= (*f)->end) {
                                         (*f)->end = nf->end;
                                         (*f)->next = nf->next;
                                         g_free(nf);
author	David Woodhouse <dwmw@amazon.co.uk>
	Fri, 26 Jul 2024 07:47:50 +0000 (08:47 +0100)
committer	David Woodhouse <dwmw@amazon.co.uk>
	Fri, 26 Jul 2024 07:48:21 +0000 (08:48 +0100)