1
0
mirror of https://github.com/Tha14/toxic.git synced 2024-11-22 17:13:02 +01:00

Fix pointer use after free bug

If toxcore fails to end a call we still need to do a cleanup
This commit is contained in:
jfreegman 2020-10-27 15:20:21 -04:00
parent 478762f76c
commit 91f194c821
No known key found for this signature in database
GPG Key ID: 3627F3144076AE63
3 changed files with 36 additions and 34 deletions

View File

@ -111,6 +111,8 @@ void callback_call_ended(uint32_t friend_number);
void write_device_callback(uint32_t friend_number, const int16_t *PCM, uint16_t sample_count, uint8_t channels, void write_device_callback(uint32_t friend_number, const int16_t *PCM, uint16_t sample_count, uint8_t channels,
uint32_t sample_rate); uint32_t sample_rate);
static int stop_transmission(Call *call, uint32_t friend_number, bool set_call_control);
static void print_err(ToxWindow *self, const char *error_str) static void print_err(ToxWindow *self, const char *error_str)
{ {
line_info_add(self, NULL, NULL, NULL, SYS_MSG, 0, 0, "%s", error_str); line_info_add(self, NULL, NULL, NULL, SYS_MSG, 0, 0, "%s", error_str);
@ -160,10 +162,8 @@ ToxAV *init_audio(ToxWindow *self, Tox *tox)
void terminate_audio(void) void terminate_audio(void)
{ {
int i; for (size_t i = 0; i < CallControl.max_calls; ++i) {
stop_transmission(&CallControl.calls[i], i, true);
for (i = 0; i < CallControl.max_calls; ++i) {
stop_transmission(&CallControl.calls[i], i);
} }
if (CallControl.av) { if (CallControl.av) {
@ -237,33 +237,38 @@ int start_transmission(ToxWindow *self, Call *call)
return 0; return 0;
} }
int stop_transmission(Call *call, uint32_t friend_number) /*
* Stops call transmission.
*
* `set_call_control` should be set to false if we already called toxav_call_control() with TOXAV_CALL_CONTROL_CANCEL.
*/
static int stop_transmission(Call *call, uint32_t friend_number, bool set_call_control)
{ {
if (call->ttas) { if (call->ttas) {
Toxav_Err_Call_Control error = TOXAV_ERR_CALL_CONTROL_OK; Toxav_Err_Call_Control error = TOXAV_ERR_CALL_CONTROL_OK;
if (CallControl.call_state > TOXAV_FRIEND_CALL_STATE_FINISHED) { if (set_call_control && CallControl.call_state > TOXAV_FRIEND_CALL_STATE_FINISHED) {
toxav_call_control(CallControl.av, friend_number, TOXAV_CALL_CONTROL_CANCEL, &error); toxav_call_control(CallControl.av, friend_number, TOXAV_CALL_CONTROL_CANCEL, &error);
} }
call->ttas = false;
if (call->in_idx != -1) {
close_device(input, call->in_idx);
}
if (call->out_idx != -1) {
close_device(output, call->out_idx);
}
if (set_call(call, false) == -1) {
return -1;
}
if (error == TOXAV_ERR_CALL_CONTROL_OK) { if (error == TOXAV_ERR_CALL_CONTROL_OK) {
call->ttas = false;
if (call->in_idx != -1) {
close_device(input, call->in_idx);
}
if (call->out_idx != -1) {
close_device(output, call->out_idx);
}
if (set_call(call, false) == -1) {
return -1;
}
return 0; return 0;
} else { } else {
fprintf(stderr, "failed to stop transmission. ToxAV error: %d\n", error);
return -1; return -1;
} }
} }
@ -306,8 +311,7 @@ void on_call_state(ToxAV *av, uint32_t friend_number, uint32_t state, void *user
#ifdef VIDEO #ifdef VIDEO
callback_video_end(friend_number); callback_video_end(friend_number);
#endif /* VIDEO */ #endif /* VIDEO */
stop_transmission(&CallControl.calls[friend_number], friend_number, true);
stop_transmission(&CallControl.calls[friend_number], friend_number);
callback_call_ended(friend_number); callback_call_ended(friend_number);
CallControl.pending_call = false; CallControl.pending_call = false;
@ -324,8 +328,7 @@ void on_call_state(ToxAV *av, uint32_t friend_number, uint32_t state, void *user
callback_recv_video_end(friend_number); callback_recv_video_end(friend_number);
callback_video_end(friend_number); callback_video_end(friend_number);
#endif /* VIDEO */ #endif /* VIDEO */
stop_transmission(&CallControl.calls[friend_number], friend_number, true);
stop_transmission(&CallControl.calls[friend_number], friend_number);
/* Reset stored call state after finishing */ /* Reset stored call state after finishing */
CallControl.call_state = 0; CallControl.call_state = 0;
@ -971,7 +974,7 @@ void stop_current_call(ToxWindow *self)
if (CallControl.pending_call) { if (CallControl.pending_call) {
callback_call_canceled(self->num); callback_call_canceled(self->num);
} else { } else {
stop_transmission(&CallControl.calls[self->num], self->num); stop_transmission(&CallControl.calls[self->num], self->num, false);
callback_call_ended(self->num); callback_call_ended(self->num);
} }

View File

@ -87,7 +87,6 @@ extern struct CallControl CallControl;
ToxAV *init_audio(ToxWindow *self, Tox *tox); ToxAV *init_audio(ToxWindow *self, Tox *tox);
void terminate_audio(void); void terminate_audio(void);
int start_transmission(ToxWindow *self, Call *call); int start_transmission(ToxWindow *self, Call *call);
int stop_transmission(Call *call, uint32_t friend_number);
void stop_current_call(ToxWindow *self); void stop_current_call(ToxWindow *self);
void init_friend_AV(uint32_t index); void init_friend_AV(uint32_t index);
void del_friend_AV(uint32_t index); void del_friend_AV(uint32_t index);

View File

@ -342,6 +342,7 @@ DeviceError close_device(DeviceType type, uint32_t device_idx)
} }
lock; lock;
Device *device = running[type][device_idx]; Device *device = running[type][device_idx];
DeviceError rc = de_None; DeviceError rc = de_None;
@ -472,6 +473,7 @@ void *thread_poll(void *arg) // TODO: maybe use thread for every input source
lock; lock;
if (!thread_running) { if (!thread_running) {
free(frame_buf);
unlock; unlock;
break; break;
} }
@ -488,18 +490,18 @@ void *thread_poll(void *arg) // TODO: maybe use thread for every input source
for (uint32_t i = 0; i < size[input]; ++i) { for (uint32_t i = 0; i < size[input]; ++i) {
lock; lock;
if (running[input][i] != NULL) { Device *device = running[input][i];
alcGetIntegerv(running[input][i]->dhndl, ALC_CAPTURE_SAMPLES, sizeof(int32_t), &sample);
int f_size = (running[input][i]->sample_rate * running[input][i]->frame_duration / 1000); if (device != NULL) {
alcGetIntegerv(device->dhndl, ALC_CAPTURE_SAMPLES, sizeof(int32_t), &sample);
int f_size = (device->sample_rate * device->frame_duration / 1000);
if (sample < f_size || f_size > FRAME_BUF_SIZE) { if (sample < f_size || f_size > FRAME_BUF_SIZE) {
unlock; unlock;
continue; continue;
} }
Device *device = running[input][i];
alcCaptureSamples(device->dhndl, frame_buf, f_size); alcCaptureSamples(device->dhndl, frame_buf, f_size);
if (device->muted) { if (device->muted) {
@ -519,8 +521,6 @@ void *thread_poll(void *arg) // TODO: maybe use thread for every input source
} }
} }
free(frame_buf);
pthread_exit(NULL); pthread_exit(NULL);
} }