From 0a7c0ae9c12f67594107194d61ad0b175a226e0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
Date: Wed, 11 Nov 2020 14:49:41 -0500
Subject: [PATCH] android: avoid use-after-free in OpenSL
Change-Id: I5fe40e7bccd74a2aa1de5427c21d09b77946e4a2
---
src/media/audio/opensl/audio_player.cpp | 4 +++-
src/media/audio/opensl/audio_recorder.cpp | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/media/audio/opensl/audio_player.cpp b/src/media/audio/opensl/audio_player.cpp
index 6de31b0711..4946290eac 100644
--- a/src/media/audio/opensl/audio_player.cpp
+++ b/src/media/audio/opensl/audio_player.cpp
@@ -67,7 +67,8 @@ AudioPlayer::processSLCallback(SLAndroidSimpleBufferQueueItf bq)
}
}
- callback_();
+ if (callback_)
+ callback_();
while (playQueue_->front(&buf) && devShadowQueue_.push(buf)) {
if ((*bq)->Enqueue(bq, buf->buf_, buf->size_) != SL_RESULT_SUCCESS) {
@@ -230,6 +231,7 @@ AudioPlayer::stop()
{
JAMI_DBG("OpenSL playback stop");
std::lock_guard<std::mutex> lk(m_);
+ callback_ = {};
SLuint32 state;
SLresult result = (*playItf_)->GetPlayState(playItf_, &state);
diff --git a/src/media/audio/opensl/audio_recorder.cpp b/src/media/audio/opensl/audio_recorder.cpp
index 97d0416a25..3f00df441f 100644
--- a/src/media/audio/opensl/audio_recorder.cpp
+++ b/src/media/audio/opensl/audio_recorder.cpp
@@ -54,7 +54,8 @@ AudioRecorder::processSLCallback(SLAndroidSimpleBufferQueueItf bq)
/*if (devShadowQueue_.size() == 0) {
(*recItf_)->SetRecordState(recItf_, SL_RECORDSTATE_STOPPED);
}*/
- callback_();
+ if (callback_)
+ callback_();
} catch (const std::exception& e) {
JAMI_ERR("processSLCallback exception: %s", e.what());
}
@@ -250,6 +251,8 @@ AudioRecorder::stop()
result = (*recItf_)->SetRecordState(recItf_, SL_RECORDSTATE_STOPPED);
SLASSERT(result);
+ callback_ = {};
+
result = (*recBufQueueItf_)->Clear(recBufQueueItf_);
SLASSERT(result);
--
GitLab