Menu
▾
▴
Re: [E-devel] epeg-0.9.1.042 bug - SIGSEGV due to double free or epeg_close called twice
|
From: Carsten H. (T. R. <ra...@ra...> - 2009-02-25 03:01:58
|
On Tue, 24 Feb 2009 16:52:28 -0300 Gustavo Sverzut Barbieri
<bar...@pr...> said:
already explained this in gory detail to samaresh :) thanks for re-iterating
it :)
> On Mon, Feb 23, 2009 at 4:48 PM, Samaresh Singh <sam...@ya...> wrote:
> > Hi,
> >
> > I have the following proposal to improve epeg-0.9.1.042. It is
> > currently giving SIGSEGV due to double free if epeg_close is called twice
> > consecutively.
> >
> > ===
> > EAPI void
> > epeg_close(Epeg_Image *im)
> > {
> > //if (!im) return;
> > /*The proposed chnage is the next line instaed of the commented line above*/
> > if ((!im) || !(*im)) return;
> > if (im->pixels) free(im->pixels);
> > if (im->lines) free(im->lines);
> > if (im->in.file) free(im->in.file);
> > if (!im->in.file) free(im->in.jinfo.src);
> > if (im->in.f || im->in.mem.data) jpeg_destroy_decompress(&
> > (im->in.jinfo)); if (im->in.f) fclose(im->in.f);
> > if (im->in.comment) free(im->in.comment);
> > if (im->in.thumb_info.uri) free(im->in.thumb_info.uri);
> > if (im->in.thumb_info.mime) free(im->in.thumb_info.mime);
> > if (im->out.file) free(im->out.file);
> > if (!im->out.file) free(im->out.jinfo.dest);
> > if (im->out.f || im->in.mem.data) jpeg_destroy_compress(&(im->out.jinfo));
> > if (im->out.f) fclose(im->out.f);
> > if (im->out.comment) free(im->out.comment);
> > free(im);
> > /*Another change*/
> > im=NULL;
> > }
> > ===
> >
> > Basically the changes are in epeg_close function of the
> > XXX/src/lib/epeg_main.c file. The SIGSEGV volation stopped if we return not
> > on (!im) but on (!(im) || !(*im)). Moreover, it will not hurt but may save
> > one from one of those unpredictable issues by the statement: im = NULL, at
> > the end.
>
> Well, first of all EPEG is deprecated, Evas contains all the
> functionality there, use evas_object_image_load_size_set().
>
> But this patch is very weird. "im" is the pointer, so it cannot be
> NULL, fine. But *im is not required to be NULL, and your block
>
> > /*Another change*/
> > im=NULL;
>
> is not what you think, it will not make *im == NULL, but rather change
> the local variable "im" (just inside the function!) to point
> elsewhere. This is known as "dead assignment" as nothing reads value
> of "im" after it is written.
>
> I'd say after "epeg_close()" the given pointer is to be considered
> invalid and should not be used anymore. It's like free(ptr), after
> this call ptr is now invalid.
>
> Regards,
>
> --
> Gustavo Sverzut Barbieri
> http://profusion.mobi embedded systems
> --------------------------------------
> MSN: bar...@gm...
> Skype: gsbarbieri
> Mobile: +55 (19) 9225-2202
>
> ------------------------------------------------------------------------------
> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
> -Strategies to boost innovation and cut costs with open source participation
> -Receive a $600 discount off the registration fee with the source code: SFAD
> http://p.sf.net/sfu/XcvMzF8H
> _______________________________________________
> enlightenment-devel mailing list
> enl...@li...
> https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
--
------------- Codito, ergo sum - "I code, therefore I am" --------------
The Rasterman (Carsten Haitzler) ra...@ra...
|