From a3eff0c51a8b5ad58fa7111e770e3b5b3d959351 Mon Sep 17 00:00:00 2001 From: Jerzy Kasenberg Date: Tue, 25 Aug 2020 14:30:02 +0200 Subject: [PATCH] audio_device: Fix NULL pointer access in audiod_xfer_cb b_bytes_copied was pointer with NULL value instead of plain variable. NULL pointer was passed to audio_tx_done_cb() and dereference as well. Now variable is not a pointer. --- src/class/audio/audio_device.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/class/audio/audio_device.c b/src/class/audio/audio_device.c index 1f266082..cbb13afc 100644 --- a/src/class/audio/audio_device.c +++ b/src/class/audio/audio_device.c @@ -1002,10 +1002,10 @@ bool audiod_xfer_cb(uint8_t rhport, uint8_t ep_addr, xfer_result_t result, uint3 // This is the only place where we can fill something into the EPs buffer! // Load new data - uint16_t *n_bytes_copied = NULL; - TU_VERIFY(audio_tx_done_cb(rhport, &_audiod_itf[idxDriver], n_bytes_copied)); + uint16_t n_bytes_copied; + TU_VERIFY(audio_tx_done_cb(rhport, &_audiod_itf[idxDriver], &n_bytes_copied)); - if (*n_bytes_copied == 0) + if (n_bytes_copied == 0) { // Load with ZLP return usbd_edpt_xfer(rhport, ep_addr, NULL, 0);