|Date:||Mon, 27 Oct 2014 16:21:32 +0100|
|User-agent:||Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.2.0|
On 25/10/14 10:23, Daiki Ueno wrote:
(I'm sorry if this does not end up in the correct thread, not quite sure how to get the old mails resent so I had to download and create it manually)
I'm a colleague of Johan and I spent some time looking through the source code trying to figure out what the problem is.
The problem seems to be that if the same argnum is used then msgid and msgid_plural will point to the same address.
Later in remember_a_message, if the msgid has already been encountered it will call free on the msgid, making msgid_plur an invalid pointer which is then passed to free in remember_a_message_plural.
This seems a bit tricky to solve given the current implementation.
You can, however, solve it by making sure the two does not point to the same address to begin with (see attached patch).
An issue with this solution is that there seems to be (at least) one other instance where the pointers could point to the same object, when looking at lines:
3105 free (best_cp->msgid);
3106 if (best_cp->msgid_plural == best_cp->msgid)
3107 best_cp->msgid_plural = msgid;
3108 best_cp->msgid = msgid;
So it's possible that the same bug would appear here, I'm not sure how to exercise this code path.
A similar solution could probably be applied here.
Description: Text document
|[Prev in Thread]||Current Thread||[Next in Thread]|