From 2479a4038ed98f2e2d812f1e5031c2e9cd575051 Mon Sep 17 00:00:00 2001 From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com> Date: Thu, 14 May 2015 16:55:49 -0400 Subject: [PATCH] ringbuffer: fix invalid read access Fix read access to a free'ed memory when waiting for audio data. Refs #73286 Change-Id: Iefbe6e4540c14a114cd4c8684ff91445eb290922 --- src/media/audio/ringbuffer.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/media/audio/ringbuffer.cpp b/src/media/audio/ringbuffer.cpp index 2c03e867e1..7ae81718b4 100644 --- a/src/media/audio/ringbuffer.cpp +++ b/src/media/audio/ringbuffer.cpp @@ -266,11 +266,19 @@ size_t RingBuffer::waitForDataAvailable(const std::string &call_id, const size_t size_t getl = 0; if (deadline == std::chrono::high_resolution_clock::time_point()) { not_empty_.wait(l, [=, &getl] { - getl = (endPos_ + buffer_size - read_ptr->second) % buffer_size; + // Re-find read_ptr: it may be destroyed during the wait + const auto read_ptr = readoffsets_.find(call_id); + if (read_ptr == readoffsets_.end()) + return true; + getl = (endPos_ + buffer_size - read_ptr->second) % buffer_size; return getl >= min_data_length; }); } else { not_empty_.wait_until(l, deadline, [=, &getl]{ + // Re-find read_ptr: it may be destroyed during the wait + const auto read_ptr = readoffsets_.find(call_id); + if (read_ptr == readoffsets_.end()) + return true; getl = (endPos_ + buffer_size - read_ptr->second) % buffer_size; return getl >= min_data_length; }); -- GitLab