From ea4320733f62c7b3ccc34edde6fc95043bb2d663 Mon Sep 17 00:00:00 2001
From: "Tux3 / Mlkj / !Lev.uXFMLA" <barrdetwix@gmail.com>
Date: Sat, 25 Oct 2014 12:28:54 +0200
Subject: [PATCH] Fix use-after-free of toxav's TimerHandler

If msi.c:timer_terminate_session frees "handler", then when msi.c:timer_poll's thread resumes, there WILL be a use after free of "handler", with a likely segfault.

This use after free causes a crash in qTox, see tux3/qTox#534
---
 toxav/msi.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/toxav/msi.c b/toxav/msi.c
index 7f390435..138c8d3f 100644
--- a/toxav/msi.c
+++ b/toxav/msi.c
@@ -631,6 +631,7 @@ static void *timer_poll( void *arg )
         usleep(handler->resolution);
     }
 
+    free(handler);
     pthread_exit(NULL);
 }
 
@@ -699,8 +700,6 @@ static void timer_terminate_session(TimerHandler *handler)
     free(handler->timers);
 
     pthread_mutex_destroy( &handler->mutex );
-
-    free(handler);
 }
 
 /**