Memory leak in JitterBuffer
I'm referring to the code path at
https://gitlab.xiph.org/xiph/speexdsp/-/blob/master/libspeexdsp/jitter.c#L591-595
which is taken, if the user has registered a custom destroy/free callback (via JITTER_BUFFER_SET_DESTROY_CALLBACK
). However, contrary to the path that is taken, if no such callback has been registered, the packet's data doesn't seem to get destroyed (by invoking the user-registered callback). At the end of the else
-block, for this if-statement, speex_free
is used to that purpose, but as I said: the code path for the custom destroy callback seems to be missing out on this.
If I understand the logic correctly, the packet isn't immediately freed, as in this case, the used data pointer is returned as-is instead of copying the data out of the buffer. Therefore, freeing the data here, would cause the using application to perform a use-after-free when accessing the returned data.
However, the problem seems to be that jitter->packets[i].data
is set to NULL
. Therefore, any subsequent logic to check whether a given package has been released already (which appears to be done by checking if data == NULL
) (e.g. at https://gitlab.xiph.org/xiph/speexdsp/-/blob/master/libspeexdsp/jitter.c#L378), will assume that the data has been freed, where in fact it hasn't (the pointer has only been overwritten with NULL
without actually freeing the data).