#4802 closed defect (fixed)
UNZIP: Double free causes crash
| Reported by: | SF/chkr | Owned by: | hkzlab |
|---|---|---|---|
| Priority: | normal | Component: | --Other-- |
| Version: | Keywords: | ||
| Cc: | Game: |
Description
scummvm crashes on startup when there is a broken/empty zip file in the current directory
how to reproduce (linux): 1. mkdir /tmp/foo 2. cd /tmp/foo 3. touch bar.zip 4. scummvm
Segmentation fault (core dumped)
#0 0x088f7785 in Common::makeZipArchive (stream=0xa7a81d8) at common/unzip.cpp:1461 #1 0x08830abe in GUI::ThemeEngine::themeConfigUsable (node=@0xa7a7fec, themeName=@0xbfe36a7c) at gui/ThemeEngine.cpp:1445 #2 0x08831d14 in GUI::ThemeEngine::listUsableThemes (node=@0xbfe36bd4, list=@0xbfe36da0, depth=1) at gui/ThemeEngine.cpp:1564 #3 0x088324a4 in GUI::ThemeEngine::listUsableThemes (list=@0xbfe36da0) at gui/ThemeEngine.cpp:1515 #4 0x08832cd5 in GUI::ThemeEngine::getThemeFile (id=@0xbfe36eac) at gui/ThemeEngine.cpp:1616 [...]
The reason is a double free in common/unzip.cpp:
- in make ZipArchive unzOpen is called (with "stream" as parameter) - in case of an error, "stream" is freed in unzOpen: if (err != UNZ_OK) { delete us->_stream; delete us; return NULL; } and NULL is returned - this causes in makeZipArchive that "stream" gets deleted again: unzFile zipFile = unzOpen(stream); if (!zipFile) { delete stream; return 0; }
- SVN snapshot from trunk, 2010-02-28
Ticket imported from: #2965108. Ticket imported from: bugs/4802.
Change History (4)
comment:1 by , 15 years ago
comment:2 by , 15 years ago
| Owner: | set to |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
| Summary: | scummvm crash on startup (zip file handling) → UNZIP: Double free causes crash |
comment:3 by , 15 years ago
I had roughly scanned the changes in SVN before writing the bug report, but somehow I've missed this bug fix. I have just re-tested it with current snapshot (2010-03-07) and the problem does not happen anymore. Thank you very much.
comment:4 by , 6 years ago
| Component: | → --Other-- |
|---|
This was already fixed with r48154 on 28-02-2010.