[JDEV] bug in jab_start
Marco Nelissen
marcone at be.com
Thu Oct 5 20:56:15 CDT 2000
In case any of the maintainers of libjabber are reading this list:
In jconn.c as I got it from CVS yesterday, there is a bug at the
end of jab_start:
(...)
t = xmlnode2str(x);
xmlnode_free(x);
/* this is ugly, we can create the string here instead of jutil_header */
/* what do you think about it? -madcat */
t2 = strstr(t,"/>");
*t2++ = '>';
*t2 = '\0';
jab_send_raw(j,"<?xml version='1.0'?>");
jab_send_raw(j,t);
}
The bug is that the xmlnode_free(x) causes the memory pool associated with
that node to be freed, but this includes the string "t" that was returned
from xmlnode2str(x). Therefore everything after xmlnode_free(x) is referencing
unallocated memory, which is obviously not allowed (and indeed caused a crash
on my system where I ran with special debugging options).
Marco
More information about the JDev
mailing list