A use-after-free in the concurrent environment on ucthread[i]

[ycaibb]

Dear Developers:

Our static analysis tool reports a concurrency use-after-free due to race conditions in stream.c#L1865 and stream.c#L1515.

The code snippets are as follows.

static void *ucompthread(void *data)
{
          ...;
	dealloc(data);
	uci = &ucthread[i]; // alreadly freed
         ...;
	if (uci->c_type != CTYPE_NONE) {
		switch (uci->c_type) {
			case CTYPE_LZMA:
				ret = lzma_decompress_buf(control, uci);  //use site
				break;
			case CTYPE_LZO:
				ret = lzo_decompress_buf(control, uci);  //use site
				break;
			case CTYPE_BZIP2: 
				ret = bzip2_decompress_buf(control, uci);  //use site
				break;
			case CTYPE_GZIP:
				ret = gzip_decompress_buf(control, uci);  //use site
				break;
			case CTYPE_ZPAQ:
				ret = zpaq_decompress_buf(control, uci, i);  //use site
				break;
			default:
				failure_return(("Dunno wtf decompression type to use!\n"), NULL);
				break;
		}
	}
} 

int close_stream_in(rzip_control *control, void *ss)
{
	....;
	output_thread = 0;
	dealloc(ucthread);   // line1865
	dealloc(threads); 
	dealloc(sinfo->s);
	dealloc(sinfo);

	return 0;
}

Thank you.

[ckolivas]

Fixed in git master.