@@ -5080,6 +5080,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs)
const char *new = str;
const char *tmp;
char *val = NULL;
+
+ sub = NULL;
err = parse_arg(&new, &varlen, &val);
if (err < 0)
goto _err;
@@ -5104,6 +5106,7 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs)
err = snd_config_search(subs, var, &sub);
if (err >= 0)
snd_config_delete(sub);
+ sub = NULL;
err = snd_config_search(def, "type", &typ);
if (err < 0) {
_invalid_type:
@@ -5169,7 +5172,8 @@ static int parse_args(snd_config_t *subs, const char *str, snd_config_t *defs)
err = snd_config_add(subs, sub);
if (err < 0) {
_err:
- snd_config_delete(sub);
+ if (sub)
+ snd_config_delete(sub);
free(val);
return err;
}
The previous fix for memory leaks introduced a few regression. The major one is the assert hit in the error path reaching with NULL or uninitialized sub object. Also, in other code paths, it's possible that an already released sub object gets freed again. Fix those bugs by initializing the sub object properly and add a NULL check before calling snd_config_delete(). Fixes: ad5f255b4767 ("conf: fix memory leak on the error path in parse_args()") Reported-and-tested-by: Mark Hills <mark@xwax.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> --- src/conf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)