From 67596a87731dc593551975ca0268a438ab7410a2 Mon Sep 17 00:00:00 2001
From: derselbst <tom.mbrt@googlemail.com>
Date: Sun, 14 Mar 2021 10:58:13 +0100
Subject: [PATCH] Invalid generator were not removed from list

fluid_list_remove() should receive the beginning of a list, so it can
adjust the predecessor of the ele
ment to be removed. Otherwise the element would remain in the list,
which in this case led to a use-aft
er-free afterwards.

---
 src/sfloader/fluid_defsfont.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/src/sfloader/fluid_defsfont.c b/src/sfloader/fluid_defsfont.c
index 0330de5..fc68d34 100644
--- a/src/sfloader/fluid_defsfont.c
+++ b/src/sfloader/fluid_defsfont.c
@@ -2706,7 +2706,7 @@ load_pmod (int size, SFData * sf, FILE * fd)
 static int
 load_pgen (int size, SFData * sf, FILE * fd)
 {
-  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
+  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
   SFZone *z;
   SFGen *g;
   SFGenAmount genval;
@@ -2718,7 +2718,7 @@ load_pgen (int size, SFData * sf, FILE * fd)
     {				/* traverse through all presets */
       gzone = FALSE;
       discarded = FALSE;
-      p2 = ((SFPreset *) (p->data))->zone;
+      start_of_zone_list = p2 = ((SFPreset *) (p->data))->zone;
       if (p2)
 	hz = &p2;
       while (p2)
@@ -2828,12 +2828,14 @@ load_pgen (int size, SFData * sf, FILE * fd)
 		    }
 		}
 	      else
-		{		/* previous global zone exists, discard */
+		{
+		  SFZone * pzone = fluid_list_get(p2);
+		  /* previous global zone exists, discard */
 		  FLUID_LOG (FLUID_WARN,
 		    _("Preset \"%s\": Discarding invalid global zone"),
 		    ((SFPreset *) (p->data))->name);
-		  *hz = fluid_list_remove(*hz, p2->data);
-		  sfont_free_zone((SFZone *)fluid_list_get(p2));
+		  *hz = fluid_list_remove(start_of_zone_list, pzone);
+		  sfont_free_zone(pzone);
 		}
 	    }
 
@@ -3058,7 +3060,7 @@ load_imod (int size, SFData * sf, FILE * fd)
 static int
 load_igen (int size, SFData * sf, FILE * fd)
 {
-  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
+  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
   SFZone *z;
   SFGen *g;
   SFGenAmount genval;
@@ -3070,7 +3072,7 @@ load_igen (int size, SFData * sf, FILE * fd)
     {				/* traverse through all instruments */
       gzone = FALSE;
       discarded = FALSE;
-      p2 = ((SFInst *) (p->data))->zone;
+      start_of_zone_list = p2 = ((SFInst *) (p->data))->zone;
       if (p2)
 	hz = &p2;
       while (p2)
@@ -3179,12 +3181,14 @@ load_igen (int size, SFData * sf, FILE * fd)
 		    }
 		}
 	      else
-		{		/* previous global zone exists, discard */
+		{
+		  SFZone * izone = fluid_list_get(p2);
+		  /* previous global zone exists, discard */
 		  FLUID_LOG (FLUID_WARN,
 		    _("Instrument \"%s\": Discarding invalid global zone"),
 		    ((SFInst *) (p->data))->name);
-		  *hz = fluid_list_remove(*hz, p2->data);
-		  sfont_free_zone((SFZone *)fluid_list_get(p2));
+		  *hz = fluid_list_remove(start_of_zone_list, izone);
+		  sfont_free_zone(izone);
 		}
 	    }
 
-- 
2.23.0