Hello community, here is the log from the commit of package pulseaudio for openSUSE:Factory checked in at 2015-10-19 22:48:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pulseaudio (Old) and /work/SRC/openSUSE:Factory/.pulseaudio.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pulseaudio" Changes: -------- --- /work/SRC/openSUSE:Factory/pulseaudio/pulseaudio.changes 2015-10-03 20:29:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pulseaudio.new/pulseaudio.changes 2015-10-19 22:48:27.000000000 +0200 @@ -1,0 +2,14 @@ +Sat Oct 17 09:21:39 CEST 2015 - [email protected] + +- Upstream fix patch for srb channel corruption (boo#950487): + pstream-Fix-use-after-free-in-srb_callback.patch +- Re-enable srbchannel again + +------------------------------------------------------------------- +Thu Oct 15 16:32:02 CEST 2015 - [email protected] + +- Disable srbchannel again as a workaround for crashes on KDE + (boo#950487): + disable-srbchannel.patch + +------------------------------------------------------------------- New: ---- disable-srbchannel.patch pstream-Fix-use-after-free-in-srb_callback.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pulseaudio.spec ++++++ --- /var/tmp/diff_new_pack.op6qdX/_old 2015-10-19 22:48:28.000000000 +0200 +++ /var/tmp/diff_new_pack.op6qdX/_new 2015-10-19 22:48:28.000000000 +0200 @@ -43,6 +43,11 @@ Patch0: disabled-start.diff Patch1: suppress-socket-error-msg.diff Patch2: pulseaudio-wrong-memset.patch +# PATCH-FIX-SUSE disable-srbchannel.patch boo#950487 Disable srbchannel as a workaround for crashes on KDE +# XXX note this patch isn't used for now, kept just for workaround in future +Patch3: disable-srbchannel.patch +# PATCH-FIX-UPSTREAM pstream-Fix-use-after-free-in-srb_callback.patch boo#950487 +Patch4: pstream-Fix-use-after-free-in-srb_callback.patch # PATCH-FIX-UPSTREAM 0002-alsa-mixer-Recognize-Dock-Line-Out-jack.patch boo#934850 Patch102: 0002-alsa-mixer-Recognize-Dock-Line-Out-jack.patch BuildRequires: alsa-devel >= 1.0.19 @@ -324,6 +329,10 @@ %patch0 %patch1 -p1 %patch2 +%if 0 +%patch3 -p1 +%endif +%patch4 -p1 %patch102 -p1 %build ++++++ disable-srbchannel.patch ++++++ --- src/pulsecore/protocol-native.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/src/pulsecore/protocol-native.c +++ b/src/pulsecore/protocol-native.c @@ -5328,7 +5328,7 @@ int pa_native_options_parse(pa_native_op pa_assert(PA_REFCNT_VALUE(o) >= 1); pa_assert(ma); - o->srbchannel = true; + o->srbchannel = false; if (pa_modargs_get_value_boolean(ma, "srbchannel", &o->srbchannel) < 0) { pa_log("srbchannel= expects a boolean argument."); return -1; ++++++ pstream-Fix-use-after-free-in-srb_callback.patch ++++++ >From 9d370181ec4bc1e252b54dd0e7bb52016f01b238 Mon Sep 17 00:00:00 2001 From: David Henningsson <[email protected]> Date: Fri, 16 Oct 2015 22:12:32 +0200 Subject: [PATCH] pstream: Fix use-after-free in srb_callback We need to guard the pstream with an extra ref to ensure it is not destroyed at the time we check whether or not the srbchannel is destroyed. Reported-by: Takashi Iwai <[email protected]> BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=950487 Signed-off-by: David Henningsson <[email protected]> --- src/pulsecore/pstream.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/src/pulsecore/pstream.c +++ b/src/pulsecore/pstream.c @@ -216,14 +216,23 @@ fail: } static bool srb_callback(pa_srbchannel *srb, void *userdata) { + bool b; pa_pstream *p = userdata; pa_assert(p); pa_assert(PA_REFCNT_VALUE(p) > 0); pa_assert(p->srb == srb); + pa_pstream_ref(p); + do_pstream_read_write(p); - return p->srb != NULL; + + /* If either pstream or the srb is going away, return false. + We need to check this before p is destroyed. */ + b = (PA_REFCNT_VALUE(p) > 1) && (p->srb == srb); + pa_pstream_unref(p); + + return b; } static void io_callback(pa_iochannel*io, void *userdata) {
