From: David Woodhouse <dwmw@amazon.co.uk>
Date: Fri, 26 Jul 2024 07:47:50 +0000 (+0100)
Subject: Fix use-after-free in audio frag overlap
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=HEAD;p=pidgin-chime.git

Fix use-after-free in audio frag overlap

Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
---

diff --git a/chime/chime-call-audio.c b/chime/chime-call-audio.c
index a74fc0f..95a2682 100644
--- a/chime/chime-call-audio.c
+++ b/chime/chime-call-audio.c
@@ -341,6 +341,7 @@ static gboolean idle_send_ack(gpointer _audio)
 static gboolean insert_frag(struct message_buf *m, gint32 start, gint32 end)
 {
 	struct message_frag **f = &m->frags, *nf;
+//	printf("Insert frag %d-%d\n", start, end);
 	while (*f) {
 		if (end < (*f)->start) {
 			/* Insert before *f */
@@ -352,8 +353,8 @@ static gboolean insert_frag(struct message_buf *m, gint32 start, gint32 end)
 			/* ... and merge subsequent frags that we now touch */
 			if (end > (*f)->end) {
 				(*f)->end = end;
-				nf = (*f)->next;
-				while ((*f)->next && nf->start <= (*f)->end) {
+				while ((nf = (*f)->next) &&
+				       nf->start <= (*f)->end) {
 					(*f)->end = nf->end;
 					(*f)->next = nf->next;
 					g_free(nf);