audio: release capture buffers

AUD_add_capture() allocates two buffers which are never released. Add the missing calls to AUD_del_capture(). Impact: Allows vnc clients to exhaust host memory by repeatedly starting and stopping audio capture. Fixes: CVE-2017-8309 Cc: P J P <ppandit@redhat.com> Cc: Huawei PSIRT <PSIRT@huawei.com> Reported-by: N "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: N Prasad J Pandit <pjp@fedoraproject.org> Message-id: 20170428075612.9997-1-kraxel@redhat.com (cherry picked from commit 3268a845) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>

audio: release capture buffers
AUD_add_capture() allocates two buffers which are never released. Add the missing calls to AUD_del_capture(). Impact: Allows vnc clients to exhaust host memory by repeatedly starting and stopping audio capture. Fixes: CVE-2017-8309 Cc: P J P <ppandit@redhat.com> Cc: Huawei PSIRT <PSIRT@huawei.com> Reported-by: N "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: N Prasad J Pandit <pjp@fedoraproject.org> Message-id: 20170428075612.9997-1-kraxel@redhat.com (cherry picked from commit 3268a845) Signed-off-by: N Michael Roth <mdroth@linux.vnet.ibm.com>
3c691326 · Gerd Hoffmann · Michael Roth · 40a7d47c · 3c691326
隐藏空白更改
内联并排

Showing with 2 addition and 0 deletion

audio/audio.c audio/audio.c +2 -0

未找到文件。
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
                    sw = sw1;
                }
                QLIST_REMOVE (cap, entries);
+                g_free (cap->hw.mix_buf);
+                g_free (cap->buf);
                g_free (cap);
            }
            return;