[vdr] *** glibc detected *** double free or corruption 1.4.2-1 Patch

Klaus Schmidinger Klaus.Schmidinger at cadsoft.de
Mon Sep 4 19:10:43 CEST 2006


Udo Richter wrote:
> Udo Richter wrote:
>> ==4652== Invalid free() / delete / delete[]
>> ==4652==    at 0x1B904B04: free (vg_replace_malloc.c:152)
>> ==4652==    by 0x8103F5F: cTimer::operator=(cTimer const&) (timers.c:108)
>> ==4652==    by 0x80FE349: cSVDRP::CmdMODT(char const*) (svdrp.c:1136)
>> ==4652==    by 0x81015C1: cSVDRP::Process() (svdrp.c:1563)
>> ==4652==    by 0x80B3458: cInterface::GetKey(bool) (interface.c:37)
>> ==4652==    by 0x810D919: main (vdr.c:866)
>> ==4652==  Address 0x1BEEAC90 is 0 bytes inside a block of size 63 free'd
>> ==4652==    at 0x1B904B04: free (vg_replace_malloc.c:152)
>> ==4652==    by 0x8104D6F: cTimer::Parse(char const*) (timers.c:244)
>> ==4652==    by 0x80FE493: cSVDRP::CmdMODT(char const*) (svdrp.c:1132)
>> ==4652==    by 0x81015C1: cSVDRP::Process() (svdrp.c:1563)
>> ==4652==    by 0x80B3458: cInterface::GetKey(bool) (interface.c:37)
>> ==4652==    by 0x810D919: main (vdr.c:866)
> 
> 
> I think I've found it:
> 
> This is line 1127 of svdrp.c:
> 
>     cTimer t = *timer;
> 
> Although this looks like it calls cTimer::operator=, it actually calls 
> the default copy constructor of cTimer, because in this case = is not an 
> assignment, but an initialization. Because of that, the aux field is 
> used by both objects, thus the double free. Try this line to see if it 
> causes this:
> 
>     cTimer t;
>     t = *timer;

It's probably best to implement an actual copy-constructor.

Please try the attached patch, which contains both changes.

Klaus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vdr-1.4.2-1-timerassign.diff
Type: text/x-patch
Size: 1957 bytes
Desc: not available
Url : http://www.linuxtv.org/pipermail/vdr/attachments/20060904/dc938dca/vdr-1.4.2-1-timerassign-0001.bin


More information about the vdr mailing list