Fix use after free in callbacks with results.

Pulse-Eight / libcec

USB CEC Adapter communication Library http://libcec.pulse-eight.com/

Other

714 stars 287 forks source link

Fix use after free in callbacks with results. #616

Open gmsoft-tuxicoman opened 2 years ago

gmsoft-tuxicoman commented 2 years ago

There is a use-after-free bug in menu state change callback.

in line CECClient.cpp:1656, cb->m_keepResult is check to find out if the callbackWrap needs to be deleted or not. However in CCECClient::QueueMenuStateChanged, the callback is deleted right after Result().

By the time Report() finishes, the callback is already delted and thus the value if cb->m_keepResult should not be access and can become 0 leading to a double free.

ahwayakchih commented 1 month ago

I've noticed following in my application, which i think may be caused by error that this patch fixes:

free(): double free detected in tcache 2

It happens randomly (well... at least i could not find out exact case when it happens) after menu button on remote controller is used. Last time it happened:

[on_logMessage 3281] >> TV (0) -> Recorder 1 (1): menu request (8D), 16, 8844
[on_logMessage 3281] >> menu request: deactivated, 16, 8844
free(): double free detected in tcache 2