From a03e34e9ab0146ddf6efd54c0974ad00fa828723 Mon Sep 17 00:00:00 2001 From: "tina.legrand@webrtc.org" Date: Thu, 19 Sep 2013 13:32:14 +0000 Subject: [PATCH] Heap-use-after-free in WebRtcNetEQ_RecInRTPStruct Pointer to released memory was not set to NULL, which means you could get a heap-us-after-free in the code. It happens if one of the slaves of NetEq is deleted, but we keep trying to decode packets. BUG= R=henrik.lundin@webrtc.org Review URL: https://webrtc-codereview.appspot.com/2259004 git-svn-id: http://webrtc.googlecode.com/svn/trunk@4792 4adac7df-926f-26a2-2b94-8c16560cd09d --- webrtc/modules/audio_coding/main/source/acm_neteq.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/webrtc/modules/audio_coding/main/source/acm_neteq.cc b/webrtc/modules/audio_coding/main/source/acm_neteq.cc index 2ade7bf57..154cc54d0 100644 --- a/webrtc/modules/audio_coding/main/source/acm_neteq.cc +++ b/webrtc/modules/audio_coding/main/source/acm_neteq.cc @@ -131,6 +131,7 @@ int16_t ACMNetEQ::InitByIdxSafe(const int16_t idx) { if (inst_mem_[idx] != NULL) { free(inst_mem_[idx]); inst_mem_[idx] = NULL; + inst_[idx] = NULL; } inst_mem_[idx] = malloc(memory_size_bytes); if (inst_mem_[idx] == NULL) { @@ -144,6 +145,7 @@ int16_t ACMNetEQ::InitByIdxSafe(const int16_t idx) { if (inst_mem_[idx] != NULL) { free(inst_mem_[idx]); inst_mem_[idx] = NULL; + inst_[idx] = NULL; } LogError("Assign", idx); WEBRTC_TRACE(webrtc::kTraceError, webrtc::kTraceAudioCoding, id_, @@ -155,6 +157,7 @@ int16_t ACMNetEQ::InitByIdxSafe(const int16_t idx) { if (inst_mem_[idx] != NULL) { free(inst_mem_[idx]); inst_mem_[idx] = NULL; + inst_[idx] = NULL; } LogError("Init", idx); WEBRTC_TRACE(webrtc::kTraceError, webrtc::kTraceAudioCoding, id_, @@ -971,6 +974,7 @@ void ACMNetEQ::RemoveNetEQSafe(int index) { if (inst_mem_[index] != NULL) { free(inst_mem_[index]); inst_mem_[index] = NULL; + inst_[index] = NULL; } if (neteq_packet_buffer_[index] != NULL) { free(neteq_packet_buffer_[index]);