tarsh / open-vcdiff

Automatically exported from code.google.com/p/open-vcdiff
Apache License 2.0
0 stars 0 forks source link

HashedDictionary may free memory twice if implicitly copied #14

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Build and install open-vcdiff v0.2 as described in the README file.
2. Create a file double_free_hd.cc containing the following code:

#include <google/vcencoder.h>

int main() {
  open_vcdiff::HashedDictionary hd1("", 0);
  hd1.Init();
  open_vcdiff::HashedDictionary hd2 = hd1;
  return 0;
}

3. Compile the source file (for example, "g++ double_free_hd.cc -lvcdenc -o
double_free_hd")

4. Run the resulting executable (for example,
"LD_LIBRARY_PATH=/usr/local/lib ./double_free_hd")

What is the expected output? What do you see instead?

Expected behavior:
the executable should finish without producing any output.

Actual behavior:
Memory is freed twice and an error message appears, such as:
*** glibc detected *** double free or corruption (fasttop): 0x0804a018 ***
Aborted

Proposed solution: Create a private assignment operator and a private
copy constructor for HashedDictionary so that client code cannot copy
HashedDictionary objects using the versions of these functions that are
implicitly generated by the compiler.

Original issue reported on code.google.com by openvcd...@gmail.com on 18 Sep 2008 at 7:52

GoogleCodeExporter commented 9 years ago
open-vcdiff version 0.5 fixes this bug by defining a private copy constructor,
causing a compiler error to appear if the code attempts to copy a 
HashedDictionary
object.  Using the double_free_hd.cc example from the bug description, the 
following
output appears:
$ g++ double_free_hd.cc -lvcdenc -o double_free_hd
/usr/local/include/google/vcencoder.h: In function 'int main()':
/usr/local/include/google/vcencoder.h:88: error:
'open_vcdiff::HashedDictionary::HashedDictionary(const
open_vcdiff::HashedDictionary&)' is private
double_free_hd.cc:6: error: within this context

This protects against the memory being freed twice and causing a crash at 
runtime.

Original comment by openvcd...@gmail.com on 20 Mar 2009 at 10:10