236: Double Free when quitting the game


最新状況

タイトル Double Free when quitting the game
状態 完了
カテゴリ バグ
作成日時 2012-02-27 03:31:08
最終更新日時 2012-03-17 20:51:53

履歴

1 | 2012-02-27 03:31:08 | 提案
paulliu at debian.org
Dear Ogapee,

glibc complains about double free when quitting the game.
*** glibc detected *** onscripter: double free or corruption (fasttop): 
0x08d17d38 ***
======= Backtrace: =========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6e221)[0xf71dd221]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6fa88)[0xf71dea88]
/lib/i386-linux-gnu/i686/cmov/libc.so.6(cfree+0x6d)[0xf71e1b3d]
/usr/lib/i386-linux-gnu/libSDL_mixer-1.2.so.0(Mix_FreeMusic+0x39)[0xf75e11f9]

After running valgrind I found that 
==22652== Invalid read of size 4
==22652==    at 0x49591EC: Mix_FreeMusic (in /usr/lib/i386-linux-gnu/libSDL_mixe
r-1.2.so.0.12.0)
==22652==    by 0x80770AC: ONScripter::stopBGM(bool) (in /usr/games/onscripter)
==22652==    by 0x806099A: _ZN10ONScripter14mp3stopCommandEv.part.5 (in /usr/gam
es/onscripter)
==22652==    by 0x8061778: ONScripter::stopCommand() (in /usr/games/onscripter)
...
==22652==  Address 0xc145b30 is 0 bytes inside a block of size 24 free'd
==22652==    at 0x48CB21C: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==22652==    by 0x49591F8: Mix_FreeMusic (in /usr/lib/i386-linux-gnu/libSDL_mixer-1.2.so.0.12.0)
==22652==    by 0x806735E: ONScripter::endCommand() (in /usr/games/onscripter)
...

So I made a patch to address this issue.
Please review if it is good.

ありがとうございます,
Paul
01_avoid_doublefree.patch (text/plain, 523 bytes) [表示] [ダウンロード]

2 | 2012-02-28 00:11:56 | 修正済
ogapee at aqua.dti2.ne.jp
Hi, Paul さん


It seems midi_info and music_info are doubly freed in ONScriper::quit() and 
ONScripter::stopBGM(bool) which is called from the deconstructor of ONScripter.

Your patch looks fine and it was applied to 20120227.

Thank you.

3 | 2012-03-17 20:51:53 | 完了
ogapee at aqua.dti2.ne.jp
Hi, Paul さん


Since the official Debian packages (Sid(Unstable) and Wheezy(Testing)) were 
updated to 20120302, this bug report is closed.

[リプライをつける]
Bug Tracking System 影舞 0.8.8
Powered by Ruby 1.8.7