struct audio_rsp_open_stream has only zero-length array member thus its
size equals to 0. We need to explicitly specify size of array element
type here.
---
android/a2dp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/android/a2dp.c b/android/a2dp.c
index 9f3164a..145cd67 100644
--- a/android/a2dp.c
+++ b/android/a2dp.c
@@ -1088,8 +1088,8 @@ static void bt_stream_open(const void *buf, uint16_t len)
return;
}
- len = sizeof(*rsp) + setup->preset->len;
- rsp = g_malloc0(sizeof(*rsp) + setup->preset->len);
+ len = sizeof(struct audio_preset) + setup->preset->len;
+ rsp = g_malloc0(len);
rsp->preset->len = setup->preset->len;
memcpy(rsp->preset->data, setup->preset->data, setup->preset->len);
--
1.8.5.2
Hi Andrzej,
On Tue, Jan 14, 2014 at 6:16 PM, Andrzej Kaczmarek
<[email protected]> wrote:
> struct audio_rsp_open_stream has only zero-length array member thus its
> size equals to 0. We need to explicitly specify size of array element
> type here.
> ---
> android/a2dp.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/android/a2dp.c b/android/a2dp.c
> index 9f3164a..145cd67 100644
> --- a/android/a2dp.c
> +++ b/android/a2dp.c
> @@ -1088,8 +1088,8 @@ static void bt_stream_open(const void *buf, uint16_t len)
> return;
> }
>
> - len = sizeof(*rsp) + setup->preset->len;
> - rsp = g_malloc0(sizeof(*rsp) + setup->preset->len);
> + len = sizeof(struct audio_preset) + setup->preset->len;
> + rsp = g_malloc0(len);
> rsp->preset->len = setup->preset->len;
> memcpy(rsp->preset->data, setup->preset->data, setup->preset->len);
>
> --
> 1.8.5.2
Pushed, thanks.
--
Luiz Augusto von Dentz
In case SEP was opened from local side, corresponding a2dp_setup
structure has just reference to a2dp_preset which is stored on presets
list. As a result, when closing SEP such preset will be freed leaving
dangling pointer on presets list.
This patch duplicates a2dp_preset in such case so it can be freed
safely.
---
android/a2dp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/android/a2dp.c b/android/a2dp.c
index 145cd67..63629a0 100644
--- a/android/a2dp.c
+++ b/android/a2dp.c
@@ -266,6 +266,7 @@ static int select_configuration(struct a2dp_device *dev,
struct avdtp_remote_sep *rsep)
{
struct a2dp_preset *preset;
+ struct a2dp_preset *preset_dup;
struct avdtp_stream *stream;
struct avdtp_service_capability *service;
struct avdtp_media_codec_capability *codec;
@@ -298,7 +299,11 @@ static int select_configuration(struct a2dp_device *dev,
return err;
}
- setup_add(dev, endpoint, preset, stream);
+ preset_dup = g_new0(struct a2dp_preset, 1);
+ preset_dup->len = preset->len;
+ preset_dup->data = g_memdup(preset->data, preset->len);
+
+ setup_add(dev, endpoint, preset_dup, stream);
return 0;
}
--
1.8.5.2