Bug 6658 - double-free in libtess dictDeleteDict()
Summary: double-free in libtess dictDeleteDict()
Alias: None
Product: Mesa
Classification: Unclassified
Component: GLU (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: high normal
Assignee: mesa-dev
QA Contact:
Keywords: patch
Depends on:
Reported: 2006-04-19 23:38 UTC by Tilman Sauerbeck
Modified: 2009-08-24 12:23 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Patch (692 bytes, patch)
2006-04-19 23:38 UTC, Tilman Sauerbeck
Details | Splinter Review

Description Tilman Sauerbeck 2006-04-19 23:38:24 UTC
dictDeleteDict() frees both dict->head and dict, but dict->head isn't allocated
separately so it must not be freed separately either.
Comment 1 Tilman Sauerbeck 2006-04-19 23:38:57 UTC
Created attachment 5379 [details] [review]
Comment 2 Brian Paul 2006-04-19 23:59:50 UTC
It looks to me like you're referencing the value of node->next after you've
free'd node (that's bad).  I think we need to do something like this instead:

void dictDeleteDict( Dict *dict )
  DictNode *node, *next;

  for( node = dict->head.next; node != &dict->head; node = next ) {
    next = node->next;
    memFree( node );
  memFree( dict );

Comment 3 Tilman Sauerbeck 2006-04-20 00:04:24 UTC
Whoops, you are right. That's another issue I didn't notice :)
Comment 4 Brian Paul 2006-04-20 00:42:30 UTC
Fixed in CVS.
Comment 5 Adam Jackson 2009-08-24 12:23:49 UTC
Mass version move, cvs -> git

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.