View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002640 | FSSCP | public | 2012-04-15 20:04 | 2012-04-22 13:42 | |
| Reporter | 3dL3XAqPiDaS5WF2 | Assigned To | Echelon9 | ||
| Priority | normal | Severity | crash | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| OS | Linux | OS Version | 3.3.1 | ||
| Summary | 0002640: Double free in missionbriefcommon.cpp | ||||
| Description | ...:mission_brief_common_reset at if ( Briefings[i].stages[j].icons ) { vm_free(Briefings[i].stages[j].icons); Briefings[i].stages[j].icons = NULL; } the icons pointer is not guaranteed to be unique. Contents of Briefings[i].stages[j].icons after entering the briefing for the Freespace 2 mission ``A Game of Tag'' and pressing escape: 0x35cea20 0x2e72ea0 0x349fdf0 0x34a03b0 0x34a03b0 0x34a03b0 (nil) . . . Crash follows when the pointer is freed twice. | ||||
| Tags | No tags attached. | ||||
|
|
The bug might have been caused by r8595 where a memset was replaced by an incomplete reset of the stage entry: - memset( &Briefing->stages[i], 0, sizeof(brief_stage) ); + Briefing->stages[i].formula = -1; + Briefing->stages[i].flags = 0; + Briefing->stages[i].text = ""; + Briefing->stages[i].num_lines = 0; The attached patch fixes the issue I have reported. |
|
|
2640.patch (621 bytes)
Index: code/missionui/missionbrief.cpp
===================================================================
--- code/missionui/missionbrief.cpp (revision 8679)
+++ code/missionui/missionbrief.cpp (working copy)
@@ -814,10 +814,7 @@
// completely clear out the old entries (if any) so we don't access them by mistake - taylor
if ( before > Briefing->num_stages ) {
for ( i = Briefing->num_stages; i < before; i++ ) {
- Briefing->stages[i].formula = -1;
- Briefing->stages[i].flags = 0;
- Briefing->stages[i].text = "";
- Briefing->stages[i].num_lines = 0;
+ Briefing->stages[i] = brief_stage();
}
}
|
|
|
I wasn't able to get this double free to trigger with the method you described (using LLVM compiled binary on OS X), but the issue looks legitimate from reading that section of code post-r8595. Are others able to repro the double free? |
|
|
Fix committed to trunk@8688. |
|
fs2open: trunk r8688 2012-04-22 09:44 Ported: N/A Details Diff |
Fix Mantis 2640: Double free in missionbriefcommon.cpp, thanks 3dL3XAqPiDaS5WF2 |
Affected Issues 0002640 |
|
| mod - /trunk/fs2_open/projects/Xcode4/FS2_Open.xcodeproj/xcshareddata/xcschemes/FS2_Open.xcscheme | Diff File | ||
| mod - /trunk/fs2_open/code/missionui/missionbrief.cpp | Diff File | ||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-04-15 20:04 | 3dL3XAqPiDaS5WF2 | New Issue | |
| 2012-04-15 20:13 | 3dL3XAqPiDaS5WF2 | Note Added: 0013469 | |
| 2012-04-15 20:14 | 3dL3XAqPiDaS5WF2 | File Added: 2640.patch | |
| 2012-04-15 21:12 | Echelon9 | Note Added: 0013470 | |
| 2012-04-15 21:12 | Echelon9 | Assigned To | => Echelon9 |
| 2012-04-15 21:12 | Echelon9 | Status | new => assigned |
| 2012-04-22 13:36 | Echelon9 | Status | assigned => code review |
| 2012-04-22 13:42 | Echelon9 | Changeset attached | => fs2open trunk r8688 |
| 2012-04-22 13:42 | Echelon9 | Note Added: 0013476 | |
| 2012-04-22 13:42 | Echelon9 | Status | code review => resolved |
| 2012-04-22 13:42 | Echelon9 | Resolution | open => fixed |
