[asterisk-dev] 1.6.1.10-rc1 crash on a VOLUME() func
Pavel Troller
patrol at sinus.cz
Mon Nov 9 05:31:03 CST 2009
Hi Kaloyan,
>
> Looking a bit more at the code ...
>
> /* Feed in frame to manipulation */
> if (audiohook->manipulate_callback(audiohook, chan, middle_frame, direction)) {
> ast_frfree(middle_frame);
> middle_frame = NULL;
> }
>
> so if there is more than one manipulate audiohook and the first one fails
> (returns nonzero), the middle_frame is set to NULL, but then in
> volume_callback we have:
>
> if (frame->frametype == AST_FRAME_DTMF) {
>
> could this be the reason for the crash (or separate issue)? If so then few
> lines before this check there should be:
>
> if (audiohook->status == AST_AUDIOHOOK_STATUS_DONE || !frame)
> return 0;
>
Yes, it looks very suspiciously, but I'm afraid that it also isn't a primary
reason for the crash. It seems more like a separate issue, which doesn't happen
here. This case would cause a segfault (accessing memory near zero), while my
crash is a double free (or a memlist corruption), detected by glibc. So, it
looks like some memory gets freed, but the pointer is not zeroed and then the
same memory is attempted to free again. Now I'm configuring my build to be able
to obtain a usable backtrace.
> or in audiohooks code the middle frame should not be freed instead, but there
> should be (another) temporary frame which is used to replace middle_frame only
> on success?
>
With regards, Pavel
More information about the asterisk-dev
mailing list