From 016919a53bb8f17de2a9070fbe84ed88fb27e175 Mon Sep 17 00:00:00 2001 From: James Crook Date: Sun, 26 Jun 2016 08:35:19 +0100 Subject: [PATCH] Bug1223: (correction). Fix new potential crash in following pointer. With recent changes to the Nyquist code for freeing blocks, the pointer 'next' could be uninitialised when 'list' points to the zero chain. So Audacity would follow a rogue pointer. We'd get away with it if the uninitialised value happened to be zero. --- lib-src/libnyquist/nyquist/nyqsrc/sound.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib-src/libnyquist/nyquist/nyqsrc/sound.c b/lib-src/libnyquist/nyquist/nyqsrc/sound.c index 84803fdc3..534c2c803 100644 --- a/lib-src/libnyquist/nyquist/nyqsrc/sound.c +++ b/lib-src/libnyquist/nyquist/nyqsrc/sound.c @@ -528,6 +528,7 @@ void snd_list_unref(snd_list_type list) break; // the rest of the list is shared, nothing more to free } + next = NULL; // list nodes either point to a block of samples or this is the // last list node (list->block == NULL) which points to a suspension // lists can also terminate at the zero_block, which is an infinite @@ -540,7 +541,6 @@ void snd_list_unref(snd_list_type list) /* free suspension structure */ /* nyquist_printf("freeing susp@%p\n", list->u.susp); */ (*(list->u.susp->free))(list->u.susp); - next = NULL; } /* if (list == list_watch) printf("freeing watched snd_list %p\n", list); */