Accepting request 339363 from home:tiwai:bnc950487

- Upstream fix patch for srb channel corruption (boo#950487): pstream-Fix-use-after-free-in-srb_callback.patch - Re-enable srbchannel again OBS-URL: https://build.opensuse.org/request/show/339363 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/pulseaudio?expand=0&rev=160
2015-10-17 08:48:36 +00:00 · 2015-10-17 08:48:36 +00:00 · 9ba037f5a6
commit 9ba037f5a6
parent c4ffaf05b3
3 changed files with 56 additions and 0 deletions
--- a/pstream-Fix-use-after-free-in-srb_callback.patch
+++ b/pstream-Fix-use-after-free-in-srb_callback.patch
@ -0,0 +1,43 @@
+>From 9d370181ec4bc1e252b54dd0e7bb52016f01b238 Mon Sep 17 00:00:00 2001
+From: David Henningsson <david.henningsson@canonical.com>
+Date: Fri, 16 Oct 2015 22:12:32 +0200
+Subject: [PATCH] pstream: Fix use-after-free in srb_callback
+
+We need to guard the pstream with an extra ref to ensure
+it is not destroyed at the time we check whether or not the
+srbchannel is destroyed.
+
+Reported-by: Takashi Iwai <tiwai@suse.de>
+BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=950487
+Signed-off-by: David Henningsson <david.henningsson@canonical.com>
+---
+ src/pulsecore/pstream.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/src/pulsecore/pstream.c
+++ b/src/pulsecore/pstream.c
+@@ -216,14 +216,23 @@ fail:
+ }
+ 
+ static bool srb_callback(pa_srbchannel *srb, void *userdata) {
+    bool b;
+     pa_pstream *p = userdata;
+ 
+     pa_assert(p);
+     pa_assert(PA_REFCNT_VALUE(p) > 0);
+     pa_assert(p->srb == srb);
+ 
+    pa_pstream_ref(p);
+
+     do_pstream_read_write(p);
+-    return p->srb != NULL;
+
+    /* If either pstream or the srb is going away, return false.
+       We need to check this before p is destroyed. */
+    b = (PA_REFCNT_VALUE(p) > 1) && (p->srb == srb);
+    pa_pstream_unref(p);
+
+    return b;
+ }
+ 
+ static void io_callback(pa_iochannel*io, void *userdata) {
--- a/pulseaudio.changes
+++ b/pulseaudio.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sat Oct 17 09:21:39 CEST 2015 - tiwai@suse.de
+
+- Upstream fix patch for srb channel corruption (boo#950487):
+  pstream-Fix-use-after-free-in-srb_callback.patch
+- Re-enable srbchannel again
+
 -------------------------------------------------------------------
 Thu Oct 15 16:32:02 CEST 2015 - tiwai@suse.de

--- a/pulseaudio.spec
+++ b/pulseaudio.spec
@ -44,7 +44,10 @@ Patch0:         disabled-start.diff
 Patch1:         suppress-socket-error-msg.diff
 Patch2:         pulseaudio-wrong-memset.patch
 # PATCH-FIX-SUSE disable-srbchannel.patch boo#950487 Disable srbchannel as a workaround for crashes on KDE
+# XXX note this patch isn't used for now, kept just for workaround in future
 Patch3:         disable-srbchannel.patch
+# PATCH-FIX-UPSTREAM pstream-Fix-use-after-free-in-srb_callback.patch boo#950487
+Patch4:         pstream-Fix-use-after-free-in-srb_callback.patch
 # PATCH-FIX-UPSTREAM 0002-alsa-mixer-Recognize-Dock-Line-Out-jack.patch boo#934850
 Patch102:       0002-alsa-mixer-Recognize-Dock-Line-Out-jack.patch
 BuildRequires:  alsa-devel >= 1.0.19
@ -326,7 +329,10 @@ Optional dependency offering zsh completion for various PulseAudio utilities
 %patch0
 %patch1 -p1
 %patch2
+%if 0
 %patch3 -p1
+%endif
+%patch4 -p1
 %patch102 -p1

 %build