From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 21 Apr 2019 16:59:13 +0000 (-0700)
Subject: Fix double-free in pdumper
X-Git-Tag: emacs-27.0.90~3157
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=2ea55c2774e726c7e393ee81b152aa9734c410cb;p=emacs.git

Fix double-free in pdumper

Revert the double-free bug that I introduced in
2019-03-11T15:20:54Z!eggert@cs.ucla.edu.
* src/pdumper.c (dump_mmap_reset): Do not free the private member;
that’s the release function’s job.
(dump_mm_heap_cb_release): Free cb if its refcount goes to zero.
(dump_mmap_contiguous_heap): Mention memory leak in comment.
---

diff --git a/src/pdumper.c b/src/pdumper.c
index 5bc5bb47f4c..3facd523e4a 100644
--- a/src/pdumper.c
+++ b/src/pdumper.c
@@ -4623,9 +4623,7 @@ dump_mmap_reset (struct dump_memory_map *map)
 {
   map->mapping = NULL;
   map->release = NULL;
-  void *private = map->private;
   map->private = NULL;
-  free (private);
 }
 
 static void
@@ -4648,7 +4646,10 @@ dump_mm_heap_cb_release (struct dump_memory_map_heap_control_block *cb)
 {
   eassert (cb->refcount > 0);
   if (--cb->refcount == 0)
-    free (cb->mem);
+    {
+      free (cb->mem);
+      free (cb);
+    }
 }
 
 static void
@@ -4663,7 +4664,12 @@ dump_mmap_contiguous_heap (struct dump_memory_map *maps, int nr_maps,
 			   size_t total_size)
 {
   bool ret = false;
+
+  /* FIXME: This storage sometimes is never freed.
+     Beware: the simple patch 2019-03-11T15:20:54Z!eggert@cs.ucla.edu
+     is worse, as it sometimes frees this storage twice.  */
   struct dump_memory_map_heap_control_block *cb = calloc (1, sizeof (*cb));
+
   char *mem;
   if (!cb)
     goto out;