[mapserver-dev] fix: shp2img gets double free or corruption
Wendell Turner
wendell at enflight.com
Tue Jul 20 17:40:52 EDT 2010
I just upgraded from mapserver 5.4.1 to 5.6.5 and now
shp2img gets this:
*** glibc detected *** shp2img: double free or corruption (fasttop): 0x095b78b0 ***
======= Backtrace: =========
/lib/libc.so.6[0xb550f1]
/lib/libc.so.6(cfree+0x90)[0xb58bc0]
shp2img[0x8050f06]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb01e8c]
shp2img[0x8050601]
======= Memory map: ========
...
It occurs when multiple layers are listed in the mapfile,
and some (but not all) of those layers are listed in the
'-l' argument to shp2img.
It appears that in shp2img.c, while looping through the '-l'
argument list, the name of a (possibly bad) layer is
remembered via:
invalid_layer = strdup(layers[j]);
If that layer is found later, the string is freed with:
if (invalid_layer)
free(invalid_layer);
which causes the double free error.
It seems that all the loop needs to do is remember the index
of the list, not a strdup of the string. Doing that seems
to work, and eliminates the double free problem.
Don't know if this is correct or not, but the patch below
works for me.
Wendell
===============================================================
--- shp2img.c-strdup 2009-11-04 13:53:23.000000000 +0000
+++ shp2img.c 2010-07-20 13:38:39.000000000 +0000
@@ -43,7 +43,7 @@
int num_layers=0;
int layer_found=0;
- char *invalid_layer=NULL;
+ int invalid_layer = -1;
char *outfile=NULL; /* no -o sends image to STDOUT */
@@ -263,18 +263,14 @@
break;
}
else {
- if (invalid_layer)
- free(invalid_layer);
- invalid_layer = strdup(layers[j]);
+ invalid_layer = j;
}
}
if (layer_found==0) {
- fprintf(stderr, "Layer (-l) %s not found\n", invalid_layer);
+ fprintf(stderr, "Layer (-l) %s not found\n", layers[invalid_layer]);
msCleanup();
exit(0);
}
- if (invalid_layer)
- free(invalid_layer);
}
for(j=0; j<map->numlayers; j++) {
===============================================================
More information about the mapserver-dev
mailing list