From 0319e0b07f7a38860575254cfd4188682cd89eb1 Mon Sep 17 00:00:00 2001 From: Nickolay Shmyrev Date: Fri, 21 Aug 2020 23:53:04 +0200 Subject: [PATCH] res_speech: Bump reference on format object Properly bump reference on format object to avoid memory corruption on double free ASTERISK-29040 #close Change-Id: Ic5a7faabfe2ef965ddb024186e1de7ca4542e2a3 --- res/res_speech.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/res/res_speech.c b/res/res_speech.c index 31ad61acb4..57f6fa61e9 100644 --- a/res/res_speech.c +++ b/res/res_speech.c @@ -220,16 +220,17 @@ struct ast_speech *ast_speech_new(const char *engine_name, const struct ast_form new_speech->engine = engine; /* Can't forget the format audio is going to be in */ - new_speech->format = best; + new_speech->format = ao2_bump(best); /* We are not ready to accept audio yet */ ast_speech_change_state(new_speech, AST_SPEECH_STATE_NOT_READY); /* Pass ourselves to the engine so they can set us up some more and if they error out then do not create a structure */ - if (engine->create(new_speech, best)) { + if (engine->create(new_speech, new_speech->format)) { ast_mutex_destroy(&new_speech->lock); + ao2_ref(new_speech->format, -1); ast_free(new_speech); - new_speech = NULL; + return NULL; } return new_speech;