diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2017-04-28 09:56:12 +0200 |
|---|---|---|
| committer | Michael Roth <mdroth@linux.vnet.ibm.com> | 2017-08-31 11:51:16 -0500 |
| commit | 3c6913263555bf43963d6ee8aa30b0ce1bd89b8d (patch) | |
| tree | b57ecd545a575c5f338c23f3d56cb26501524e15 | |
| parent | 40a7d47c5a88e4045b471dff38182d5a21cae682 (diff) | |
| download | qemu-3c6913263555bf43963d6ee8aa30b0ce1bd89b8d.zip qemu-3c6913263555bf43963d6ee8aa30b0ce1bd89b8d.tar.gz qemu-3c6913263555bf43963d6ee8aa30b0ce1bd89b8d.tar.bz2 | |
audio: release capture buffers
AUD_add_capture() allocates two buffers which are never released.
Add the missing calls to AUD_del_capture().
Impact: Allows vnc clients to exhaust host memory by repeatedly
starting and stopping audio capture.
Fixes: CVE-2017-8309
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170428075612.9997-1-kraxel@redhat.com
(cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
| -rw-r--r-- | audio/audio.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/audio/audio.c b/audio/audio.c index c8898d8..beafed2 100644 --- a/audio/audio.c +++ b/audio/audio.c @@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) sw = sw1; } QLIST_REMOVE (cap, entries); + g_free (cap->hw.mix_buf); + g_free (cap->buf); g_free (cap); } return; |