Bug 75 - convert_string_allocate() frees memory twice
convert_string_allocate() frees memory twice
Product: Samba 3.0
Classification: Unclassified
Component: File Services
All All
: P2 critical
: none
Assigned To: Gerald (Jerry) Carter
Depends on:
  Show dependency treegraph
Reported: 2003-05-08 09:49 UTC by John H Terpstra
Modified: 2005-02-07 07:54 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra 2003-05-08 09:49:13 UTC
~/sources/lib/charcnv.c: Line: 254

        destlen = destlen - o_len;
        *dest = (char *)Realloc(ob,destlen);
        if (!*dest) {
                DEBUG(0, ("convert_string_allocate: out of memory!\n"));
                return (size_t)-1;

Assume destlen == 0
Realloc will free the original pointer, and the !*dest will free it again.
Comment 1 Gerald (Jerry) Carter 2003-05-08 13:16:23 UTC
SAFE_FREE() correctly handles NULL pointers so this 
won't cause a crash or memory corruption, but I've added
a check just the same  (if (destlen && !*dest) {} )
Comment 2 Gerald (Jerry) Carter 2003-05-20 08:19:50 UTC
Elrond gave it the ok.
Comment 3 Gerald (Jerry) Carter 2005-02-07 07:54:58 UTC
originally reported against 3.0alpha23.  Bugzilla spring cleaning.