Bug 6658

Summary: double-free in libtess dictDeleteDict()
Product: Mesa Reporter: Tilman Sauerbeck <tilman>
Component: GLUAssignee: mesa-dev
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: high Keywords: patch
Version: git   
Hardware: x86 (IA32)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:
Attachments: Patch

Description Tilman Sauerbeck 2006-04-19 23:38:24 UTC 
dictDeleteDict() frees both dict->head and dict, but dict->head isn't allocated
separately so it must not be freed separately either.
Comment 1 Tilman Sauerbeck 2006-04-19 23:38:57 UTC 
Created attachment 5379 [details] [review]
Patch
Comment 2 Brian Paul 2006-04-19 23:59:50 UTC 
It looks to me like you're referencing the value of node->next after you've
free'd node (that's bad).  I think we need to do something like this instead:

void dictDeleteDict( Dict *dict )
{
  DictNode *node, *next;

  for( node = dict->head.next; node != &dict->head; node = next ) {
    next = node->next;
    memFree( node );
  }
  memFree( dict );
}
Comment 3 Tilman Sauerbeck 2006-04-20 00:04:24 UTC 
Whoops, you are right. That's another issue I didn't notice :)
Comment 4 Brian Paul 2006-04-20 00:42:30 UTC 
Fixed in CVS.
Comment 5 Adam Jackson 2009-08-24 12:23:49 UTC 
Mass version move, cvs -> git

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.