Fix an invalid-free-bug in the ogg audio format handler code.

In process_ogg_packets(), if ogg_sync_pageout() fails, we jmp to
the out label where "stream" is being freed by ogg_stream_clear()
without being initialized.

This causes para_afh and para_server to segfault in libogg:

	*** glibc detected *** para_afh: munmap_chunk(): invalid pointer: 0x6f890d42 ***
	======= Backtrace: =========
	/usr/lib/glibc/lib/libc.so.6(+0x66e5a)[0x6f712e5a]
	/usr/lib/glibc/lib/libc.so.6(+0x68021)[0x6f714021]
	/usr/local/lib/libogg.so.0(ogg_stream_clear+0x2f)[0x6f891adf]
	para_afh[0x804cb52]
	para_afh[0x804cbeb]
	para_afh[0x804ce59]
	para_afh[0x804be71]
	para_afh[0x804a97c]
	/usr/lib/glibc/lib/libc.so.6(__libc_start_main+0xd9)[0x6f6c2c79]
	para_afh[0x8049991]

Fix this bug by returning the error code directly rather than jumping
to "out".

diff --git a/NEWS b/NEWS
index 4669b78ed883e42f417807b87ba12a1c26a75bb2..cb7ba06d5ae70631f6160daf5f9a8888a3227526 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,8 @@
 0.4.5 (to be announced) "symmetric randomization"
 -------------------------------------------------
 
+       - Fix an invalid-free-bug in the ogg audio format handler code.
+
 ------------------------------------------
 0.4.4 (2010-08-06) "persistent regularity"
 ------------------------------------------

diff --git a/ogg_afh_common.c b/ogg_afh_common.c
index 353bc9bb51a3e18a5e26fac359dd8aebfdcbbb8e..54e92956c641eb8cc8d88ce2a2f9c8920b32a6d6 100644 (file)
--- a/ogg_afh_common.c
+++ b/ogg_afh_common.c
@@ -64,9 +64,8 @@ static int process_ogg_packets(ogg_sync_state *oss, struct afh_info *afhi,
        ogg_page page;
        int ret;
 
-       ret = -E_SYNC_PAGEOUT;
        if (ogg_sync_pageout(oss, &page) != 1)
-               goto out;
+               return -E_SYNC_PAGEOUT;
 
        ret = ogg_page_serialno(&page);
        ogg_stream_init(&stream, ret);