StarMirror/toxcore
1
0
Fork 0
mirror of https://github.com/irungentoo/toxcore.git synced 2024-03-22 13:30:51 +08:00
Code Issues Projects Releases Wiki Activity

Fix use-after-free of toxav's TimerHandler

Browse Source 
If msi.c:timer_terminate_session frees "handler", then when msi.c:timer_poll's thread resumes, there WILL be a use after free of "handler", with a likely segfault.

This use after free causes a crash in qTox, see tux3/qTox#534
This commit is contained in:
Tux3 / Mlkj / !Lev.uXFMLA 2014-10-25 12:28:54 +02:00
parent 9878b441b1
commit ea4320733f
No known key found for this signature in database
GPG Key ID: 7E086DD661263264
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
toxav/msi.c
View File

@ -631,6 +631,7 @@ static void *timer_poll( void *arg )
usleep(handler->resolution); usleep(handler->resolution);
} }
free(handler);
pthread_exit(NULL); pthread_exit(NULL);
} }
@ -699,8 +700,6 @@ static void timer_terminate_session(TimerHandler *handler)
free(handler->timers); free(handler->timers);
pthread_mutex_destroy( &handler->mutex ); pthread_mutex_destroy( &handler->mutex );
free(handler);
} }
/** /**