[pacman-dev] [PATCH] libalpm: avoid double free() in trans_free()
Aurelien Foret
aurelien at archlinux.org
Sat Dec 31 12:32:36 EST 2005
VMiklos wrote:
> hi
>
> http://frugalware.org/~vmiklos/patches/libpacman-proposed/trans_double_free.diff
>
> trans->packages is only a list of package _pointers_ so using FREELISTPKGS() on
> it will cause a double free(). use FREELISTPTR instead
>
> how to reproduce this bug:
> $ sudo pacman -Rs k9copy --noconfirm
> checking dependencies... done.
>
> Targets: k9copy toolame
>
> removing k9copy... done.
> removing toolame... done.
> *** glibc detected *** double free or corruption (!prev): 0x0824eea0 ***
>
> udv / greetings,
> VMiklos
>
Basically, trans->pacakges is really a list of packages, and not a list
of pointers to packages.
As a consequence, it must be freed by using FREELISTPKGS.
See add_loadtarget() or remove_loadtarget(): data are built from scratch
and copied into that list.
FYI, it is needed for a transaction to hold its own set of data. During
the transaction life, the package cache can change, and thus, it is
tricky to rely on it by simply using pointers.
IMO, the double free fault comes from somewhere else.
Is it only occurring when using the "-s" flag?
Is running "sudo pacman -R --noconfirm k9copy toolame" triggers the fault?
--
Aurelien
More information about the pacman-dev
mailing list