From: George Kiagiadakis <george.kiagiadakis@xxxxxxxxxxxxx>
The media_item objects are owned by the player and while we keep
temporary pointers to them in pending_list_items, clearing the player's
playlist destroys them and we will end up crashing in the next call to
avrcp_list_items_rsp(). The crash is racy and can only be observed
when skipping tracks very quickly in an Apple Music station (where the
playlist changes on every next song)
---
profiles/audio/avrcp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 8d1e03b93..7296ac164 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3879,6 +3879,14 @@ static void avrcp_now_playing_changed(struct avrcp *session,
DBG("NowPlaying changed");
+ /* reset the list_items operation, if it is in progress
+ or else we will crash because _clear_playlist() frees the items */
+ if (player->p) {
+ g_slist_free(player->p->items);
+ g_free(player->p);
+ player->p = NULL;
+ }
+
media_player_clear_playlist(mp);
}
--
2.43.0
