Changeset 5299:5fbc169961b9 in roaraudio


Ignore:
Timestamp:
11/25/11 09:24:14 (8 years ago)
Author:
phi
Branch:
default
Message:

changed prototype of roar_buffer_moveinto() to avoid use-after-free bugs

Files:
2 edited

Legend:

Unmodified
Added
Removed
  • include/libroar/buffer.h

    r5298 r5299  
    6969int roar_buffer_next     (struct roar_buffer ** buf) _LIBROAR_BUFFER_STDATTRS; 
    7070int roar_buffer_add      (struct roar_buffer *  buf, struct roar_buffer *  next) _LIBROAR_BUFFER_STDATTRS; 
    71 int roar_buffer_moveinto (struct roar_buffer *  buf, struct roar_buffer *  next) _LIBROAR_BUFFER_STDATTRS; 
     71int roar_buffer_moveinto (struct roar_buffer *  buf, struct roar_buffer ** next) _LIBROAR_BUFFER_STDATTRS; 
    7272 
    7373int roar_buffer_ref      (struct roar_buffer *  buf) _LIBROAR_ATTR_NONNULL_ALL; 
  • libroar/buffer.c

    r5298 r5299  
    9595 if ( buf->refc == 0 ) { 
    9696  roar_panic(ROAR_FATAL_ERROR_MEMORY_CORRUPTION, NULL); 
     97  roar_err_set(ROAR_ERROR_FAULT); 
     98  return -1; 
    9799 } 
    98100 
     
    264266 
    265267int roar_buffer_add      (struct roar_buffer * buf, struct roar_buffer *  next) { 
    266  return roar_buffer_moveinto(buf, next); 
    267 } 
    268  
    269 int roar_buffer_moveinto (struct roar_buffer * buf, struct roar_buffer *  next) { 
     268 return roar_buffer_moveinto(buf, &next); 
     269} 
     270 
     271int roar_buffer_moveinto (struct roar_buffer * buf, struct roar_buffer ** next) { 
    270272 unsigned int deep = 0; 
    271273 
    272  _ckbuf(0) 
     274 _ckbuf(next == NULL || _ckmem_corruption(*next, 0)) 
    273275 
    274276 ROAR_DBG("buffer_add(buf=%p, next=%p) = ?", buf, next); 
     277 ROAR_DBG("buffer_add(buf=%p, next=%p): *next=%p", buf, next, *next); 
    275278 
    276279 if ( buf->flags & ROAR_BUFFER_FLAG_RING ) { 
     
    279282 } 
    280283 
    281  if ( buf == next ) { 
     284 if ( buf == *next ) { 
    282285  ROAR_ERR("buffer_add(*): both pointer are of the same destination, This is a error in the application"); 
    283286  roar_err_set(ROAR_ERROR_INVAL); 
     
    291294  deep++; 
    292295 
    293   if ( buf == next ) { 
     296  if ( buf == *next ) { 
    294297   ROAR_ERR("buffer_add(*): Can not add buffer: loop detected at deep %u. This is a error in the application", deep); 
    295298   // why don't we return here? 
     
    297300 } 
    298301 
    299  buf->next = next; 
     302 buf->next = *next; 
    300303 
    301304 ROAR_DBG("buffer_add(*): adding buffer at deep %u", deep); 
     305 
     306 *next = NULL; 
    302307 
    303308 return 0; 
Note: See TracChangeset for help on using the changeset viewer.