Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#59 double free in nco_cln_utl.c

closed-fixed
None
5
2012-05-20
2012-05-19
Peter Campbell
No

ncrcat was crashing with "double free or corruption". The cause was in nco_cln_utl.c where ut_free is being called when the memory has already been freed by ut_free_system. Here is some evidence from valgrind:

==26967== Invalid read of size 8
==26967== at 0x665ED53: ut_free (in libudunits2.so.0.0.0)
==26967== by 0x411D83: nco_cln_clc_dff (nco_cln_utl.c:206)
==26967== by 0x412BE6: nco_cln_clc_org (nco_cln_utl.c:683)
==26967== by 0x4276D6: nco_lmt_evl (nco_lmt.c:311)
==26967== by 0x409E87: main (ncra.c:711)
==26967== Address 0x8303a00 is 0 bytes inside a block of size 64 free'd
==26967== at 0x4C26BEE: free (vg_replace_malloc.c:427)
==26967== by 0x66601BC: productReallyFree (in libudunits2.so.0.0.0)
==26967== by 0x6660254: coreFreeSystem (in libudunits2.so.0.0.0)
==26967== by 0x666AB55: ut_free_system (in libudunits2.so.0.0.0)
==26967== by 0x411D77: nco_cln_clc_dff (nco_cln_utl.c:205)
==26967== by 0x412BE6: nco_cln_clc_org (nco_cln_utl.c:683)
==26967== by 0x4276D6: nco_lmt_evl (nco_lmt.c:311)
==26967== by 0x409E87: main (ncra.c:711)

Discussion

  • Charlie Zender
    Charlie Zender
    2012-05-20

    Thanks for reporting this. It spurred me to find and fix the problem. Code is now committed and will be in next stable release.
    cz

     
  • Charlie Zender
    Charlie Zender
    2012-05-20

    • assigned_to: nobody --> zender
    • status: open --> closed-fixed