From 7122d2e862e028a730478d88cd61557fbed16ebf Mon Sep 17 00:00:00 2001
From: mannol <eniz_vukovic@hotmail.com>
Date: Tue, 20 Dec 2016 22:31:47 +0100
Subject: [PATCH] Use after free reported in #278 occurs because toxav_kill()
 calls msi_kill() (toxav.c:180) which frees msi_call instances (msi.c:161)
 which are then used when call_remove() (toxav.c:1136) is called. This fix
 prevents call_remove() from calling invalid pointer.

Fixes #278
---
 toxav/toxav.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/toxav/toxav.c b/toxav/toxav.c
index 49058b8fbc..59c0c1e4b5 100644
--- a/toxav/toxav.c
+++ b/toxav/toxav.c
@@ -188,6 +188,7 @@ void toxav_kill(ToxAV *av)
 
         while (it) {
             call_kill_transmission(it);
+            it->msi_call = NULL; /* msi_kill() frees the call's msi_call handle; which causes #278 */
             it = call_remove(it); /* This will eventually free av->calls */
         }
     }