From: Richard Mudgett Date: Wed, 15 Nov 2017 00:00:55 +0000 (-0600) Subject: audiohook.c: Fix freeing a frame and still using it. X-Git-Tag: 13.19.0-rc1~124^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f916d621a5cceb7173fb5a86d540c73862ce5a2;p=thirdparty%2Fasterisk.git audiohook.c: Fix freeing a frame and still using it. Memory corruption happened to the media frame caches when an audio hook freed a frame when it shouldn't. I think the freed frame was because a jitter buffer interpolated a missing frame and the audio hook unconditionally freed it. * Made audiohook.c:audio_audiohook_write_list() not free an interpolated frame if it is the same frame as what was passed into the routine. * Made plc.c:normalise_history() use memmove() instead of memcpy() on a memory block that could overlap. Found by valgrind investigating this issue. ASTERISK-27238 ASTERISK-27412 Change-Id: I548d86894281fc4529aefeb9f161f2131ecc6fde --- diff --git a/main/audiohook.c b/main/audiohook.c index 869cb750e8..cb3c4bcb31 100644 --- a/main/audiohook.c +++ b/main/audiohook.c @@ -947,7 +947,9 @@ static struct ast_frame *audio_audiohook_write_list(struct ast_channel *chan, st * rely on actual media being present to do things. */ if (!middle_frame->data.ptr) { - ast_frfree(middle_frame); + if (middle_frame != start_frame) { + ast_frfree(middle_frame); + } return start_frame; } diff --git a/main/plc.c b/main/plc.c index 1f0206920e..4421e7a0cf 100644 --- a/main/plc.c +++ b/main/plc.c @@ -98,7 +98,7 @@ static void normalise_history(plc_state_t *s) if (s->buf_ptr == 0) return; memcpy(tmp, s->history, sizeof(int16_t)*s->buf_ptr); - memcpy(s->history, s->history + s->buf_ptr, sizeof(int16_t) * (PLC_HISTORY_LEN - s->buf_ptr)); + memmove(s->history, s->history + s->buf_ptr, sizeof(int16_t) * (PLC_HISTORY_LEN - s->buf_ptr)); memcpy(s->history + PLC_HISTORY_LEN - s->buf_ptr, tmp, sizeof(int16_t) * s->buf_ptr); s->buf_ptr = 0; }