We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 2604 - Double free in LoadWAVStream function
Summary: Double free in LoadWAVStream function
Status: RESOLVED FIXED
Alias: None
Product: SDL_mixer
Classification: Unclassified
Component: misc (show other bugs)
Version: 2.0.0
Hardware: x86 Linux
: P2 critical
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-25 06:09 UTC by Nitz
Modified: 2014-06-25 07:49 UTC (History)
0 users

See Also:

Attachments
Patch for double free issue in LoadWAVStream (389 bytes, text/plain)
2014-06-25 06:09 UTC, Nitz 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nitz 2014-06-25 06:09:14 UTC 
Created attachment 1709 [details]
Patch for double free issue in LoadWAVStream

In 
static SDL_RWops *LoadWAVStream (SDL_RWops *src, SDL_AudioSpec *spec,
                    long *start, long *stop)
{ 

/* Decode the audio data format */
    format = (WaveFMT *)chunk.data; //  Now both point to the same storage.
    if ( chunk.magic != FMT ) {
        SDL_free(chunk.data);  // frees chunk.data
        Mix_SetError("Complex WAVE files not supported");
        was_error = 1;
        goto done;
    }



done:
    if ( format != NULL ) {
        SDL_free(format); // frees pointer format which has already been freed.
    }
    if ( was_error ) {
        return NULL;
    }
    return(src);
}

Patch is attached for solution.

Cheers!!!

/Nitz
Comment 1 Sam Lantinga 2014-06-25 07:49:44 UTC 
Fixed, thanks!
https://hg.libsdl.org/SDL_mixer/rev/dd498db4e82e