[alsa-devel] [alsa-lib] Possible bug in function 'snd_ctl_hw_open', file control_hw.c

alex dot baldacchino dot alsasub at gmail dot com alex.baldacchino.alsasub at gmail.com
Tue May 31 14:48:43 CEST 2011

I've noticed at some point function snd_ctl_hw_open() calls
snd_ctl_new() to allocate memory for variable snd_ctl_t *ctl; then it
tries to handle an error condition, but, regardless of such an error,
memory locations pointed by ctl are accessed and filled in (eventually
with invalid data, since the error causes 'fd' to be closed and 'hw'
to be freed). Since ctl could point a random area in case of
allocation failure, perhaps the function should return if such an
error occurs and avoid dereferencing it. An easy fix would be the
following, unless I'm missing something.

--- old/src/control/control_hw.c	2011-05-31 14:20:12.975999400 +0200
+++ new/src/control/control_hw.c	2011-05-31 14:21:35.559999388 +0200
@@ -414,6 +414,7 @@
 	if (err < 0) {
+		return err;
 	ctl->ops = &snd_ctl_hw_ops;
 	ctl->private_data = hw;

More information about the Alsa-devel mailing list