ao_pcm: fix double free on exit

This seems to be an older bug. It set priv->outputfilename to a new talloc-allocated string, but the field is also managed as string option, so talloc will free it first, then m_option_free() is called on the dangling pointer. Possibly this is caused by the earlier ta destruction order change.
2020-03-14 13:36:27 +01:00 · 2020-03-14 13:36:27 +01:00 · 9d04e76f3f
parent cd22e93fee
commit 9d04e76f3f
1 changed files with 8 additions and 6 deletions
--- a/audio/out/ao_pcm.c
+++ b/audio/out/ao_pcm.c
@ -111,9 +111,11 @@ static int init(struct ao *ao)
 {
    struct priv *priv = ao->priv;

-    if (!priv->outputfilename)
-        priv->outputfilename =
-            talloc_strdup(priv, priv->waveheader ? "audiodump.wav" : "audiodump.pcm");
+    char *outputfilename = priv->outputfilename;
+    if (!outputfilename) {
+        outputfilename = talloc_strdup(priv, priv->waveheader ? "audiodump.wav"
+                                                              : "audiodump.pcm");
+    }

    ao->format = af_fmt_from_planar(ao->format);

@ -148,13 +150,13 @@ static int init(struct ao *ao)
    ao->bps = ao->channels.num * ao->samplerate * af_fmt_to_bytes(ao->format);

    MP_INFO(ao, "File: %s (%s)\nPCM: Samplerate: %d Hz Channels: %d Format: %s\n",
-            priv->outputfilename,
+            outputfilename,
            priv->waveheader ? "WAVE" : "RAW PCM", ao->samplerate,
            ao->channels.num, af_fmt_to_str(ao->format));

-    priv->fp = fopen(priv->outputfilename, priv->append ? "ab" : "wb");
+    priv->fp = fopen(outputfilename, priv->append ? "ab" : "wb");
    if (!priv->fp) {
-        MP_ERR(ao, "Failed to open %s for writing!\n", priv->outputfilename);
+        MP_ERR(ao, "Failed to open %s for writing!\n", outputfilename);
        return -1;
    }
    if (priv->waveheader)  // Reserve space for wave header