From: Nickolay Shmyrev <nshmyrev@alphacephei.com>
Date: Fri, 21 Aug 2020 21:53:04 +0000 (+0200)
Subject: res_speech: Bump reference on format object
X-Git-Tag: 18.0.0-rc1~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0319e0b07f7a38860575254cfd4188682cd89eb1;p=thirdparty%2Fasterisk.git

res_speech: Bump reference on format object

Properly bump reference on format object to avoid memory corruption on double free

ASTERISK-29040 #close

Change-Id: Ic5a7faabfe2ef965ddb024186e1de7ca4542e2a3
---

diff --git a/res/res_speech.c b/res/res_speech.c
index 31ad61acb4..57f6fa61e9 100644
--- a/res/res_speech.c
+++ b/res/res_speech.c
@@ -220,16 +220,17 @@ struct ast_speech *ast_speech_new(const char *engine_name, const struct ast_form
 	new_speech->engine = engine;
 
 	/* Can't forget the format audio is going to be in */
-	new_speech->format = best;
+	new_speech->format = ao2_bump(best);
 
 	/* We are not ready to accept audio yet */
 	ast_speech_change_state(new_speech, AST_SPEECH_STATE_NOT_READY);
 
 	/* Pass ourselves to the engine so they can set us up some more and if they error out then do not create a structure */
-	if (engine->create(new_speech, best)) {
+	if (engine->create(new_speech, new_speech->format)) {
 		ast_mutex_destroy(&new_speech->lock);
+		ao2_ref(new_speech->format, -1);
 		ast_free(new_speech);
-		new_speech = NULL;
+		return NULL;
 	}
 
 	return new_speech;