From 2ea55c2774e726c7e393ee81b152aa9734c410cb Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Sun, 21 Apr 2019 09:59:13 -0700 Subject: [PATCH] Fix double-free in pdumper MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Revert the double-free bug that I introduced in 2019-03-11T15:20:54Z!eggert@cs.ucla.edu. * src/pdumper.c (dump_mmap_reset): Do not free the private member; that’s the release function’s job. (dump_mm_heap_cb_release): Free cb if its refcount goes to zero. (dump_mmap_contiguous_heap): Mention memory leak in comment. --- src/pdumper.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/pdumper.c b/src/pdumper.c index 5bc5bb47f4c..3facd523e4a 100644 --- a/src/pdumper.c +++ b/src/pdumper.c @@ -4623,9 +4623,7 @@ dump_mmap_reset (struct dump_memory_map *map) { map->mapping = NULL; map->release = NULL; - void *private = map->private; map->private = NULL; - free (private); } static void @@ -4648,7 +4646,10 @@ dump_mm_heap_cb_release (struct dump_memory_map_heap_control_block *cb) { eassert (cb->refcount > 0); if (--cb->refcount == 0) - free (cb->mem); + { + free (cb->mem); + free (cb); + } } static void @@ -4663,7 +4664,12 @@ dump_mmap_contiguous_heap (struct dump_memory_map *maps, int nr_maps, size_t total_size) { bool ret = false; + + /* FIXME: This storage sometimes is never freed. + Beware: the simple patch 2019-03-11T15:20:54Z!eggert@cs.ucla.edu + is worse, as it sometimes frees this storage twice. */ struct dump_memory_map_heap_control_block *cb = calloc (1, sizeof (*cb)); + char *mem; if (!cb) goto out; -- 2.39.5