Fix possible invalid free in irecv_open_with_ecid()

irecv_open_with_ecid calls libusb_open() in a loop. When the operation
fails libusb_close() is called with the returned handle - which ideally
should be NULL upon calling libusb_open(). However since we're operating
in a loop this is only the case for the first time libusb_open() is called
and subsequent invocations only overwrite the handle upon success.
Whenever the libusb_open() fails and it is not the first invocation, the
libusb_close() that is called afterwards may cause an invalid free.
To prevent this we set the handle to NULL before calling libusb_open().

1 files changed, 1 insertions, 1 deletions

diff --git a/src/libirecovery.c b/src/libirecovery.c
index 9284316..6626b1d 100644
--- a/src/libirecovery.c
+++ b/src/libirecovery.c
@@ -1116,7 +1116,6 @@ IRECV_API irecv_error_t irecv_open_with_ecid(irecv_client_t* pclient, unsigned l
         int i = 0;
         struct libusb_device* usb_device = NULL;
         struct libusb_device** usb_device_list = NULL;
-        struct libusb_device_handle* usb_handle = NULL;
         struct libusb_device_descriptor usb_descriptor;
 
         *pclient = NULL;
@@ -1150,6 +1149,7 @@ IRECV_API irecv_error_t irecv_open_with_ecid(irecv_client_t* pclient, unsigned l
 
                                 debug("opening device %04x:%04x...\n", usb_descriptor.idVendor, usb_descriptor.idProduct);
 
+                                struct libusb_device_handle* usb_handle = NULL;
                                 int libusb_error = libusb_open(usb_device, &usb_handle);
                                 if (usb_handle == NULL || libusb_error != 0) {
                                         debug("%s: can't connect to device: %s\n", __func__, libusb_error_name(libusb_error));