We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 1418 - crash on double free if loading WAV file failed

Summary: crash on double free if loading WAV file failed

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL_mixer
Classification:	Unclassified
Component:	misc (show other bugs)
Version:	1.2.12
Hardware:	x86_64 Linux

Importance:	P2 critical
Assignee:	Ryan C. Gordon
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-02-12 08:33 UTC by dwachs
Modified:	2012-02-13 22:17 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dwachs 2012-02-12 08:33:37 UTC

Here is an excerpt of gdb:

.
*** glibc detected *** simutrans-trunk/simutrans/sim: double free or corruption (top): 0x0000000001774790 ***
======= Backtrace: =========
...


#0  0x00007ffff6a4cab5 in raise () from /lib64/libc.so.6
#1  0x00007ffff6a4dfb6 in abort () from /lib64/libc.so.6
#2  0x00007ffff6a87dd3 in __libc_message () from /lib64/libc.so.6
#3  0x00007ffff6a8d3b6 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007ffff6a922dc in free () from /lib64/libc.so.6
#5  0x00007ffff6a7d705 in fclose@@GLIBC_2.2.5 () from /lib64/libc.so.6
#6  0x00007ffff772b449 in ?? () from /usr/lib64/libSDL-1.2.so.0
#7  0x000000000061df4f in Mix_LoadWAV_RW (src=0x145f960, freesrc=1) at mixer.c:618


The problem here is:
-- SDL_LoadWAV_RW fails, but is called with freesrc==1, hence it closes the given file
-- mixer.c itself wants to close the file again in line 618:

	if ( !loaded ) {
		SDL_free(chunk);
		if ( freesrc ) {
			SDL_RWclose(src); /// causes double free
		}
		return(NULL);
	}

Suggestion: remove the entire if (freesrc) { .. } block, as the called subroutines close the file if freesrc != 0.

Comment 1 Sam Lantinga 2012-02-12 14:59:47 UTC

Fixed, thanks!
http://hg.libsdl.org/SDL_mixer/rev/2d713670db9b

Comment 2 dwachs 2012-02-13 00:01:44 UTC

that was quick :)

Thanks!

Comment 3 Sam Lantinga 2012-02-13 22:17:56 UTC

You're welcome! :)

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.