res_agi.c: Prevent possible double free during `SPEECH RECOGNIZE`

When using the speech recognition module, crashes can occur
sporadically due to a "double free or corruption (out)" error. Now, in
the section where the audio stream is being captured in a loop, each
time after releasing fr, it is set to NULL to prevent repeated
deallocation.

Fixes #772

(cherry picked from commit 2d676c756002a82c3e6babf4594c2977a2a5836e)

diff --git a/res/res_agi.c b/res/res_agi.c
index 7d41a7e30f5ed7d8ed6a42da8799b9a5bf3215d5..f09329bb6fc06bc89574ef2d1c192a536a7044bd 100644 (file)
--- a/res/res_agi.c
+++ b/res/res_agi.c
@@ -3650,8 +3650,10 @@ static int handle_speechrecognize(struct ast_channel *chan, AGI *agi, int argc,
                        time(&current);
                        if ((current - start) >= timeout) {
                                reason = "timeout";
-                               if (fr)
+                               if (fr) {
                                        ast_frfree(fr);
+                                       fr = NULL;
+                               }
                                break;
                        }
                }
@@ -3708,6 +3710,7 @@ static int handle_speechrecognize(struct ast_channel *chan, AGI *agi, int argc,
                                reason = "hangup";
                        }
                        ast_frfree(fr);
+                       fr = NULL;
                }
        }