libdict dict_del function logic flaw

gozfree / gear-lib

Gear-Lib, C library for IOT Embedded Multimedia and Network

MIT License

2.97k stars 805 forks source link

libdict dict_del function logic flaw #72

Closed YvesCjl closed 2 years ago

YvesCjl commented 2 years ago

To reproduce:

char s[105];
int main()
{
dict *d = dict_new();
read( 0, s, 100 ); // input 100 zeros, i.e., '00000000'...
dict_del( d, s ); // successful, now d->used==-1
return 0;
}

By the way, dict_free(d) doesn't check if dict is valid, may lead to heap crash. To reproduce:

int main()
{
dict *d = dict_new();
dict_free( d );
dict_free( d ); // heap crash
return 0;
}

gozfree commented 2 years ago

fix patch https://gitee.com/gozfreee/gear-lib/commit/02db43e0d0d76a315dd5d58298bc4b9102539d7a

double dict_free no need fix, just like malloc -> free -> free will also cause heap crash, should be make sure by users