From 9d04e76f3f0e460aed44ac3bfb25e36068b1c832 Mon Sep 17 00:00:00 2001 From: wm4 Date: Sat, 14 Mar 2020 13:36:27 +0100 Subject: ao_pcm: fix double free on exit This seems to be an older bug. It set priv->outputfilename to a new talloc-allocated string, but the field is also managed as string option, so talloc will free it first, then m_option_free() is called on the dangling pointer. Possibly this is caused by the earlier ta destruction order change. --- audio/out/ao_pcm.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/audio/out/ao_pcm.c b/audio/out/ao_pcm.c index 689d5c019a..5de213f07d 100644 --- a/audio/out/ao_pcm.c +++ b/audio/out/ao_pcm.c @@ -111,9 +111,11 @@ static int init(struct ao *ao) { struct priv *priv = ao->priv; - if (!priv->outputfilename) - priv->outputfilename = - talloc_strdup(priv, priv->waveheader ? "audiodump.wav" : "audiodump.pcm"); + char *outputfilename = priv->outputfilename; + if (!outputfilename) { + outputfilename = talloc_strdup(priv, priv->waveheader ? "audiodump.wav" + : "audiodump.pcm"); + } ao->format = af_fmt_from_planar(ao->format); @@ -148,13 +150,13 @@ static int init(struct ao *ao) ao->bps = ao->channels.num * ao->samplerate * af_fmt_to_bytes(ao->format); MP_INFO(ao, "File: %s (%s)\nPCM: Samplerate: %d Hz Channels: %d Format: %s\n", - priv->outputfilename, + outputfilename, priv->waveheader ? "WAVE" : "RAW PCM", ao->samplerate, ao->channels.num, af_fmt_to_str(ao->format)); - priv->fp = fopen(priv->outputfilename, priv->append ? "ab" : "wb"); + priv->fp = fopen(outputfilename, priv->append ? "ab" : "wb"); if (!priv->fp) { - MP_ERR(ao, "Failed to open %s for writing!\n", priv->outputfilename); + MP_ERR(ao, "Failed to open %s for writing!\n", outputfilename); return -1; } if (priv->waveheader) // Reserve space for wave header -- cgit v1.2.3