From b9decbb0568de0df5e531783540935102e911e14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Olivier=20Cr=C3=AAte?= Date: Wed, 7 Apr 2010 19:05:37 -0400 Subject: [PATCH] shmpipe: Fix crash when sp_close_shm is called with self == NULL. If sp_open_shm errors out trying to open a shm area, it would crash when trying to free the area. The RETURN_ERROR macro calls sp_shm_area_dec with self == NULL. sp_shm_area_dec calls sp_shm_close, with self == NULL, which it then tries to access a parameter of without checking. This patch checks to make sure self != NULL before accessing that parameter. --- gst/shm/shmpipe.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/gst/shm/shmpipe.c b/gst/shm/shmpipe.c index 497e1acc52..169600cd79 100644 --- a/gst/shm/shmpipe.c +++ b/gst/shm/shmpipe.c @@ -297,26 +297,27 @@ sp_open_shm (char *path, int id, int writer, mode_t perms, size_t size) static void sp_close_shm (ShmPipe * self, ShmArea * area) { - ShmArea *item = NULL; - ShmArea *prev_item = NULL; - assert (area->use_count == 0); if (area->allocspace) shm_alloc_space_free (area->allocspace); + if (self != NULL) { + ShmArea *item = NULL; + ShmArea *prev_item = NULL; - for (item = self->shm_area; item; item = item->next) { - if (item == area) { - if (prev_item) - prev_item->next = item->next; - else - self->shm_area = item->next; - break; + for (item = self->shm_area; item; item = item->next) { + if (item == area) { + if (prev_item) + prev_item->next = item->next; + else + self->shm_area = item->next; + break; + } + prev_item = item; } - prev_item = item; + assert (item); } - assert (item); if (area->shm_area != MAP_FAILED) munmap (area->shm_area, area->shm_area_len);