Hello, I've noticed at some point function snd_ctl_hw_open() calls snd_ctl_new() to allocate memory for variable snd_ctl_t *ctl; then it tries to handle an error condition, but, regardless of such an error, memory locations pointed by ctl are accessed and filled in (eventually with invalid data, since the error causes 'fd' to be closed and 'hw' to be freed). Since ctl could point a random area in case of allocation failure, perhaps the function should return if such an error occurs and avoid dereferencing it. An easy fix would be the following, unless I'm missing something.
------------------------------------------------------ control_hw.patch -------------------------------------------------------------- --- old/src/control/control_hw.c 2011-05-31 14:20:12.975999400 +0200 +++ new/src/control/control_hw.c 2011-05-31 14:21:35.559999388 +0200 @@ -414,6 +414,7 @@ if (err < 0) { close(fd); free(hw); + return err; } ctl->ops = &snd_ctl_hw_ops; ctl->private_data = hw;