From 37360d858d629d0de398930639cbdd8a089bfafa Mon Sep 17 00:00:00 2001
From: David Fries <David@Fries.net>
Date: Sat, 23 Aug 2014 14:04:22 -0500
Subject: [PATCH] fix dangling pointer cnt->current_image after resize

cnt->current_image because a dangling pointer after image_ring_resize
because it is pointing to cnt->imgs.image_ring which is reallocated in
that routine.  motion_loop will then store cnt->current_image in
old_image which it can then read from.

Reallocations are rare, once in init to size 1, then once to the final
size.  I apparently have a bad USB link and I was seeing a crash
pointing to bad data, after that camera started, then had an error and
crashed in process_image_ring(cnt, IMAGE_BUFFER_FLUSH);
it hadn't yet resized to the normal ring buffer size.  That got me
trying valgrind with a ring buffer size limit of 1 which found this
bug.
---
 motion.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/motion.c b/motion.c
index e21f8bf6..852c5a97 100644
--- a/motion.c
+++ b/motion.c
@@ -134,6 +134,7 @@ static void image_ring_resize(struct context *cnt, int new_size)
 
             /* Point to the new ring */
             cnt->imgs.image_ring = tmp;
+            cnt->current_image = NULL;
 
             cnt->imgs.image_ring_size = new_size;
         }
@@ -168,6 +169,7 @@ static void image_ring_destroy(struct context *cnt)
     free(cnt->imgs.image_ring);
 
     cnt->imgs.image_ring = NULL;
+    cnt->current_image = NULL;
     cnt->imgs.image_ring_size = 0;
 }