Description of problem: A double free and a double close are present in alsabat (part of alsa-utils). Version-Release number of selected component (if applicable): alsa-utils in version 1.1.2 How reproducible: Found statically, no test-case provided. Steps to Reproduce: In the file bat/asla.c, the function record_alsa (line 663): there is a call to free on sndpcm.buffer, at line 693: pthread_cleanup_push(free, sndpcm.buffer); Another call to free on the same variable is possible at line 715: exit3: free(sndpcm.buffer); The presence of a "goto exit 3", right after the first free makes such path possible. Notice that in the same way, a double close can be achieved on sndpcm.handle (yet the double free seems more dangerous). Actual results: Expected results: Additional info: A fix could be to set sndpcm.buffer (resp. sndpcm.handle) to a NULL value after the first free (resp. close), and to check its value before the second call.
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
alsa-lib-1.1.6-2.fc28, alsa-plugins-1.1.6-2.fc28, alsa-tools-1.1.6-1.fc28, alsa-utils-1.1.6-1.fc28, python-alsa-1.1.6-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6bd008c547
alsa-lib-1.1.6-2.fc28, alsa-plugins-1.1.6-2.fc28, alsa-tools-1.1.6-1.fc28, alsa-utils-1.1.6-1.fc28, python-alsa-1.1.6-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.