#54 valgrind errors

closed-fixed
nobody
None
5
2004-03-01
2003-11-25
Jim Trainor
No

Jean-Francois Panisset at Image Works
reported the following memory bugs exposed by valgrind:

=5158== Invalid write of size 1
==5158== at 0x40166503: strcpy
(vg_clientfuncs.c:447)
==5158== by 0x425E6711: AAFGetLibraryInfo(void*,
char**, char**)
(CAAFInProcServer.cpp:579)
==5158== by 0x425E61CB: CAAFInProcServer::Init
(tagAAFComObjectInfo*,
void*) (CAAFInProcServer.cpp:141)
==5158== by 0x425E678D:
InterpCOMInitialize::InterpCOMInitialize()
(AAFInterpCOM.cpp:111)
==5158== Address 0x410D32AD is 0 bytes after a
block of size 13 alloc'd
==5158== at 0x40165E38: __builtin_vec_new
(vg_clientfuncs.c:161)
==5158== by 0x40165E76: operator new[](unsigned)
(vg_clientfuncs.c:174)
==5158== by 0x425E66FB: AAFGetLibraryInfo(void*,
char**, char**)
(CAAFInProcServer.cpp:578)
==5158== by 0x425E61CB: CAAFInProcServer::Init
(tagAAFComObjectInfo*,
void*) (CAAFInProcServer.cpp:141)

That one is trivial. In AAFGetLibraryInfo() on Linux:

*pServerPath = new char[strlen((char*
hInstance)];
strcpy( *pServerPath, (char*)hInstance);

strlen() doesn't include the trailing \0, but strcpy()
copies it, so you
end up writing one past the end of the array. The fix is:

*pServerPath = new char[strlen((char*)
hInstance)+1];
strcpy( *pServerPath, (char*)hInstance);

Sad thing is that the IRIX case just above has the
correct code :-(

And on exit:

==5158==
==5158== Mismatched free() / delete / delete []
==5158== at 0x40165F96: __builtin_delete
(vg_clientfuncs.c:199)
==5158== by 0x40165FB6: operator delete(void*)
(vg_clientfuncs.c:208)
==5158== by 0x4164392C: OMFile::~OMFile()
(OMFile.cpp:53)
==5158== by 0x4157E6F2: ImplAAFFile::~ImplAAFFile
()
(ImplAAFFile.cpp:1223)
==5158== Address 0x411080F4 is 0 bytes inside a
block of size 208 alloc'd
==5158== at 0x40165E38: __builtin_vec_new
(vg_clientfuncs.c:161)
==5158== by 0x40165E76: operator new[](unsigned)
(vg_clientfuncs.c:174)
==5158== by 0x416612C6: saveWideString(wchar_t
const*)
(OMUtilities.cpp:159)
==5158== by 0x41647243: OMFile::OMFile(wchar_t
const*, void*,
OMObjectIdentification, OMFile::OMAccessMode,
OMStoredObject*,
OMClassFactory const*, OMDictionary*,
OMFile::OMLoadMode) (OMFile.cpp:1041)

That one is easy: in the OMFile::OMFile() constructor:

_fileName = saveWideString(fileName);

where saveWideString() returns new wchar_t[length],
but the destructor
OMFile::~OMFile() calls delete, not delete[]:

delete _fileName;
_fileName = 0;

should be:

delete [] _fileName;
_fileName = 0;

Discussion

  • Stuart Cunningham

    Logged In: YES
    user_id=692703

    jfpanisset fixed both of these bugs in:
    ref-impl/src/com-api/com-dll/CAAFInProcServer.cpp v1.17
    ref-impl/src/OM/OMFile.cpp v1.146

    stuart_hc has reviewed the fixes, verified that valgrind no
    longer finds a problem in these areas of the code, and has
    closed the bug.

     
  • Stuart Cunningham

    • status: open --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks