From 2479a4038ed98f2e2d812f1e5031c2e9cd575051 Mon Sep 17 00:00:00 2001
From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
Date: Thu, 14 May 2015 16:55:49 -0400
Subject: [PATCH] ringbuffer: fix invalid read access

Fix read access to a free'ed memory when waiting for audio data.

Refs #73286

Change-Id: Iefbe6e4540c14a114cd4c8684ff91445eb290922
---
 src/media/audio/ringbuffer.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/media/audio/ringbuffer.cpp b/src/media/audio/ringbuffer.cpp
index 2c03e867e1..7ae81718b4 100644
--- a/src/media/audio/ringbuffer.cpp
+++ b/src/media/audio/ringbuffer.cpp
@@ -266,11 +266,19 @@ size_t RingBuffer::waitForDataAvailable(const std::string &call_id, const size_t
     size_t getl = 0;
     if (deadline == std::chrono::high_resolution_clock::time_point()) {
         not_empty_.wait(l, [=, &getl] {
-                getl =  (endPos_ + buffer_size - read_ptr->second) % buffer_size;
+                // Re-find read_ptr: it may be destroyed during the wait
+                const auto read_ptr = readoffsets_.find(call_id);
+                if (read_ptr == readoffsets_.end())
+                    return true;
+                getl = (endPos_ + buffer_size - read_ptr->second) % buffer_size;
                 return getl >= min_data_length;
         });
     } else {
         not_empty_.wait_until(l, deadline, [=, &getl]{
+                // Re-find read_ptr: it may be destroyed during the wait
+                const auto read_ptr = readoffsets_.find(call_id);
+                if (read_ptr == readoffsets_.end())
+                    return true;
                 getl = (endPos_ + buffer_size - read_ptr->second) % buffer_size;
                 return getl >= min_data_length;
         });
-- 
GitLab