[mapserver-dev] fix: shp2img gets double free or corruption

Alan Boudreault aboudreault at mapgears.com
Wed Jul 21 08:09:41 EDT 2010 

Hi Wendell,

Please fill a ticket and assign it to "aboudreault". I'm going to take a look 
in the next days.

Thanks,
Alan

On July 20, 2010 05:40:52 pm Wendell Turner wrote:
> I just upgraded from mapserver 5.4.1 to 5.6.5 and now
> shp2img gets this:
> 
>   *** glibc detected *** shp2img: double free or corruption (fasttop):
>  0x095b78b0 *** ======= Backtrace: =========
>   /lib/libc.so.6[0xb550f1]
>   /lib/libc.so.6(cfree+0x90)[0xb58bc0]
>   shp2img[0x8050f06]
>   /lib/libc.so.6(__libc_start_main+0xdc)[0xb01e8c]
>   shp2img[0x8050601]
>   ======= Memory map: ========
>   ...
> 
> It occurs when multiple layers are listed in the mapfile,
> and some (but not all) of those layers are listed in the
> '-l' argument to shp2img.
> 
> It appears that in shp2img.c, while looping through the '-l'
> argument list, the name of a (possibly bad) layer is
> remembered via:
> 
>    invalid_layer = strdup(layers[j]);
> 
> If that layer is found later, the string is freed with:
>         if (invalid_layer)
>           free(invalid_layer);
> 
> which causes the double free error.
> 
> It seems that all the loop needs to do is remember the index
> of the list, not a strdup of the string.  Doing that seems
> to work, and eliminates the double free problem.
> 
> Don't know if this is correct or not, but the patch below
> works for me.
> 
> Wendell
> 
> ===============================================================
> --- shp2img.c-strdup    2009-11-04 13:53:23.000000000 +0000
> +++ shp2img.c   2010-07-20 13:38:39.000000000 +0000
> @@ -43,7 +43,7 @@
>    int num_layers=0;
> 
>    int layer_found=0;
> -  char *invalid_layer=NULL;
> +  int invalid_layer = -1;
> 
>    char *outfile=NULL; /* no -o sends image to STDOUT */
> 
> @@ -263,18 +263,14 @@
>              break;
>            }
>            else {
> -            if (invalid_layer)
> -              free(invalid_layer);
> -            invalid_layer = strdup(layers[j]);
> +            invalid_layer = j;
>            }
>          }
>          if (layer_found==0) {
> -          fprintf(stderr, "Layer (-l) %s not found\n", invalid_layer);
> +          fprintf(stderr, "Layer (-l) %s not found\n",
>  layers[invalid_layer]); msCleanup();
>            exit(0);
>          }
> -        if (invalid_layer)
> -          free(invalid_layer);
>        }
> 
>        for(j=0; j<map->numlayers; j++) {
> ===============================================================
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
> 

-- 
Alan Boudreault
Mapgears
http://www.mapgears.com

More information about the mapserver-dev mailing list