tag 7897189af6607da6d300f6eff4e4c532d0f2df79
tagger The Android Open Source Project <initial-contribution@android.com> Fri Oct 16 15:18:35 2020 -0700
object 377d383de91c5cdfe11b1deaca2046b1b9969294

Android O MR1 IOT Release Smart Display r30 (OIMI.200528.001)

commit 377d383de91c5cdfe11b1deaca2046b1b9969294
author Yingjoe Chen <yingjoe.chen@mediatek.com> Sat Mar 07 18:19:30 2020 +0800
committer Darren Krahn <dkrahn@google.com> Mon Mar 16 18:55:08 2020 -0700
tree 35d709b1421d2b58e48b7ae5aae1d18a401acfd5
parent e8f4ba03b363136e84c8d8a86e2c285d6ebef45c

[ALPS05020298] ALSA: timer: Fix incorrectly assigned timer instance

The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in
snd_timer_open()") unified the error handling code paths with the
standard goto, but it introduced a subtle bug: the timer instance is
stored in snd_timer_open() incorrectly even if it returns an error.
This may eventually lead to UAF, as spotted by fuzzer.

In this patch, we fix it by not re-using timeri variable but a
temporary variable for testing the exclusive connection, so timeri
remains NULL at that point.

Bug: 151000310
Change-Id: I9ce2d4b5d992ba76dda740caea1046efe0ff782c
Signed-off-by: chipeng chang <chipeng.chang@mediatek.com>
Signed-off-by: Yingjoe Chen <yingjoe.chen@mediatek.com>
CR-Id: ALPS05020298
Feature: [Module]Audio Kernel
(cherry-pick from b11912c59a9ff64e965bbb82137a70ae6144ce7e)