| From: Gerd Hoffmann <kraxel@redhat.com> |
| Date: Fri, 28 Apr 2017 09:56:12 +0200 |
| Subject: [PATCH] audio: release capture buffers |
| |
| AUD_add_capture() allocates two buffers which are never released. |
| Add the missing calls to AUD_del_capture(). |
| |
| Impact: Allows vnc clients to exhaust host memory by repeatedly |
| starting and stopping audio capture. |
| |
| Fixes: CVE-2017-8309 |
| Cc: P J P <ppandit@redhat.com> |
| Cc: Huawei PSIRT <PSIRT@huawei.com> |
| Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> |
| Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> |
| Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> |
| Message-id: 20170428075612.9997-1-kraxel@redhat.com |
| (cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a) |
| |
| audio/audio.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| diff --git a/audio/audio.c b/audio/audio.c |
| index c8898d8422..beafed209b 100644 |
| |
| |
| @@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) |
| sw = sw1; |
| } |
| QLIST_REMOVE (cap, entries); |
| + g_free (cap->hw.mix_buf); |
| + g_free (cap->buf); |
| g_free (cap); |
| } |
| return; |