Fixed use-after-free in music_fluidsynth.c

Tom M. There is a dangerous use-after-free in FLUIDSYNTH_Delete(): the settings object is deleted **before** the synth. Since the settings have been created first to initialize the synth, you must first delete the synth and then delete the settings. This currently crashes all applications that use fluidsynth 2.1.6 and SDL2_mixer. Please apply the attached patch and release a bug fix release. Originally reported at FluidSynth/fluidsynth#748
libsdl-org · Jan 20, 2021 · 6160668 · 6160668
1 parent e4f8092
commit 6160668
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/codecs/music_fluidsynth.c b/src/codecs/music_fluidsynth.c
@@ -285,9 +285,10 @@ static void FLUIDSYNTH_Stop(void *context)
 static void FLUIDSYNTH_Delete(void *context)
 {
     FLUIDSYNTH_Music *music = (FLUIDSYNTH_Music *)context;
+    fluid_settings_t *settings = fluidsynth.fluid_synth_get_settings(music->synth);
     fluidsynth.delete_fluid_player(music->player);
-    fluidsynth.delete_fluid_settings(fluidsynth.fluid_synth_get_settings(music->synth));
     fluidsynth.delete_fluid_synth(music->synth);
+    fluidsynth.delete_fluid_settings(settings);
     SDL_free(music);
 }