[pacman-dev] [PATCH] libalpm: avoid double free() in trans_free()

Aurelien Foret aurelien at archlinux.org
Sat Dec 31 12:32:36 EST 2005

VMiklos wrote:
>   hi
>   http://frugalware.org/~vmiklos/patches/libpacman-proposed/trans_double_free.diff
>   trans->packages is only a list of package _pointers_ so using FREELISTPKGS() on
>   it will cause a double free(). use FREELISTPTR instead
>   how to reproduce this bug:
>   $ sudo pacman -Rs k9copy --noconfirm
>   checking dependencies... done.
>   Targets: k9copy toolame
>   removing k9copy... done.
>   removing toolame... done.
>   *** glibc detected *** double free or corruption (!prev): 0x0824eea0 ***
> udv / greetings,
> VMiklos

Basically, trans->pacakges is really a list of packages, and not a list 
of pointers to packages.
As a consequence, it must be freed by using FREELISTPKGS.

See add_loadtarget() or remove_loadtarget(): data are built from scratch 
and copied into that list.

FYI, it is needed for a transaction to hold its own set of data. During 
the transaction life, the package cache can change, and thus, it is 
tricky to rely on it by simply using pointers.

IMO, the double free fault comes from somewhere else.
Is it only occurring when using the "-s" flag?
Is running "sudo pacman -R --noconfirm k9copy toolame" triggers the fault?

More information about the pacman-dev mailing list