Avoid double free by making a copy of the value received from libconfig9 #879
Conversation
|
Many thanks for this. It may take a few days to check and update. |
|
Hi Chris. I had a good look at this. The good news (?) is that there is indeed a bug there and the patch does stop the crash. The bad news is that the patch doesn't really fix the original problem, which was caused by carelessness in allocating and deallocating memory for temporary strings. So, I have fixed it (I believe) in a slightly different way and pushed out an update in the |
|
Thanks Mike, I have no issue with closing this MR, but would you mind linking to the commit(s) with the fixes please? I may as well build a package to make testing easier. |
|
Thanks again Chris. The fix is in commit 175ae0a, specifically in the file There are a few other unrelated and essentially cosmetic changes in that commit. |
I've received this patch through the Debian BTS: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925577
It looks like libconfig9 tries to free the pointer to the string, so when shairport.c frees it itself around line 1169 you end up with a double-free. On the "wrong" system this leads to a crash.