Fix: Clearing retransmit buffer after player stop could crash due

to reading pointer from free'd memory (in raop.c). Also added some
safeguards against passing invalid file descripters to close()
in player.c.

src/player.c

@@ -1836,7 +1836,8 @@ playback_abort(void)
   if (event_initialized(&pb_timer_ev))
     event_del(&pb_timer_ev);
 
-  close(pb_timer_fd);
+  if (pb_timer_fd != -1)
+    close(pb_timer_fd);
   pb_timer_fd = -1;
 
   if (cur_playing)
@@ -1972,7 +1973,8 @@ playback_stop(struct player_command *cmd)
   if (event_initialized(&pb_timer_ev))
     event_del(&pb_timer_ev);
 
-  close(pb_timer_fd);
+  if (pb_timer_fd != -1)
+    close(pb_timer_fd);
   pb_timer_fd = -1;
 
   if (cur_playing)
@@ -2104,7 +2106,8 @@ playback_start_bh(struct player_command *cmd)
   return 0;
 
  out_fail:
-  close(pb_timer_fd);
+  if (pb_timer_fd != -1)
+    close(pb_timer_fd);
   pb_timer_fd = -1;
   playback_abort();
 
@@ -2434,7 +2437,8 @@ playback_pause(struct player_command *cmd)
   if (event_initialized(&pb_timer_ev))
     event_del(&pb_timer_ev);
 
-  close(pb_timer_fd);
+  if (pb_timer_fd != -1)
+    close(pb_timer_fd);
   pb_timer_fd = -1;
 
   if (ps->play_next)

src/raop.c

@@ -1690,6 +1690,7 @@ raop_session_cleanup(struct raop_session *rs)
 {
   struct raop_session *s;
   struct raop_v2_packet *pkt;
+  struct raop_v2_packet *next_pkt;
 
   if (rs == sessions)
     sessions = sessions->next;
@@ -1709,8 +1710,13 @@ raop_session_cleanup(struct raop_session *rs)
   /* No more active sessions, free retransmit buffer */
   if (!sessions)
     {
-      for (pkt = pktbuf_head; pkt; pkt = pkt->next)
-	free(pkt);
+      pkt = pktbuf_head;
+      while (pkt)
+	{
+	  next_pkt = pkt->next;
+	  free(pkt);
+	  pkt = next_pkt;
+	}
 
       pktbuf_head = NULL;
       pktbuf_tail = NULL;