[asterisk-commits] dvossel: branch 1.6.0 r228696 - in /branches/1.6.0: ./ main/channel.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Fri Nov 6 16:38:07 CST 2009 

Author: dvossel
Date: Fri Nov  6 16:38:05 2009
New Revision: 228696

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=228696
Log:
Merged revisions 228693 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/trunk

................
  r228693 | dvossel | 2009-11-06 16:35:44 -0600 (Fri, 06 Nov 2009) | 16 lines
  
  Merged revisions 228692 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.4
  
  ........
    r228692 | dvossel | 2009-11-06 16:33:27 -0600 (Fri, 06 Nov 2009) | 9 lines
    
    fixes audiohook write crash occuring in chan_spy whisper mode.
    
    After writing to the audiohook list in ast_write(), frames
    were being freed incorrectly.  Under certain conditions this
    resulted in a double free crash.
    
    (closes issue #16133)
    Reported by: wetwired
  ........
................

Modified:
    branches/1.6.0/   (props changed)
    branches/1.6.0/main/channel.c

Propchange: branches/1.6.0/
------------------------------------------------------------------------------
Binary property 'trunk-merged' - no diff available.

Modified: branches/1.6.0/main/channel.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.6.0/main/channel.c?view=diff&rev=228696&r1=228695&r2=228696
==============================================================================
--- branches/1.6.0/main/channel.c (original)
+++ branches/1.6.0/main/channel.c Fri Nov  6 16:38:05 2009
@@ -3470,6 +3470,11 @@
 
 		if (chan->audiohooks) {
 			struct ast_frame *prev = NULL, *new_frame, *cur, *dup;
+			int freeoldlist = 0;
+
+			if (f != fr) {
+				freeoldlist = 1;
+			}
 
 			/* Since ast_audiohook_write may return a new frame, and the cur frame is
 			 * an item in a list of frames, create a new list adding each cur frame back to it
@@ -3480,13 +3485,16 @@
 				/* if this frame is different than cur, preserve the end of the list,
 				 * free the old frames, and set cur to be the new frame */
 				if (new_frame != cur) {
+
 					/* doing an ast_frisolate here seems silly, but we are not guaranteed the new_frame
 					 * isn't part of local storage, meaning if ast_audiohook_write is called multiple
 					 * times it may override the previous frame we got from it unless we dup it */
 					if ((dup = ast_frisolate(new_frame))) {
 						AST_LIST_NEXT(dup, frame_list) = AST_LIST_NEXT(cur, frame_list);
-						ast_frfree(new_frame);
-						ast_frfree(cur);
+						if (freeoldlist) {
+							AST_LIST_NEXT(cur, frame_list) = NULL;
+							ast_frfree(cur);
+						}
 						cur = dup;
 					}
 				}

More information about the asterisk-commits mailing list