search

espressif / esp-adf

Espressif Audio Development Framework
Other
1.52k stars 669 forks source link

audio_event_iface_msg_t msg use after free (AUD-4844) #1064

Closed probiers closed 1 year ago

probiers commented 1 year ago

I am trying to use the audio event and figured out, that there could be some memory issues in esp_peripherals.c:

https://github.com/espressif/esp-adf/blob/49f80aafefc31642ea98db78bf024e18688b8de9/components/esp_peripherals/esp_peripherals.c#L383-L394

in Function esp_periph_send_event, audio_event_iface_msg_t msg is created on the stack, and then call XQueueSend to send the message. My understanding is XQueueSend in freertos will not copy the item to queue, because item is only void * and no size is given. So after esp_periph_send_event is called, the local variable msg will be destroyed.

Therefore I can not understand, how I can get an valid event using audio_event_iface_listen in main loop, which is shown in some examples like https://github.com/espressif/esp-adf/blob/49f80aafefc31642ea98db78bf024e18688b8de9/examples/advanced_examples/flexible_pipeline/main/flexible_example_main.c#L149

probiers commented 1 year ago

Just understood, that XQueueSend really does a copy and the size is read from queue handle