Opened 15 years ago

Closed 15 years ago

Last modified 6 years ago

#4802 closed defect (fixed)

UNZIP: Double free causes crash

Reported by: SF/chkr Owned by: hkzlab
Priority: normal Component: --Other--
Version: Keywords:
Cc: Game:

Description

scummvm crashes on startup when there is a broken/empty zip file in the current directory

how to reproduce (linux): 1. mkdir /tmp/foo 2. cd /tmp/foo 3. touch bar.zip 4. scummvm

Segmentation fault (core dumped)

#0 0x088f7785 in Common::makeZipArchive (stream=0xa7a81d8) at common/unzip.cpp:1461 #1 0x08830abe in GUI::ThemeEngine::themeConfigUsable (node=@0xa7a7fec, themeName=@0xbfe36a7c) at gui/ThemeEngine.cpp:1445 #2 0x08831d14 in GUI::ThemeEngine::listUsableThemes (node=@0xbfe36bd4, list=@0xbfe36da0, depth=1) at gui/ThemeEngine.cpp:1564 #3 0x088324a4 in GUI::ThemeEngine::listUsableThemes (list=@0xbfe36da0) at gui/ThemeEngine.cpp:1515 #4 0x08832cd5 in GUI::ThemeEngine::getThemeFile (id=@0xbfe36eac) at gui/ThemeEngine.cpp:1616 [...]

The reason is a double free in common/unzip.cpp:

- in make ZipArchive unzOpen is called (with "stream" as parameter) - in case of an error, "stream" is freed in unzOpen: if (err != UNZ_OK) { delete us->_stream; delete us; return NULL; } and NULL is returned - this causes in makeZipArchive that "stream" gets deleted again: unzFile zipFile = unzOpen(stream); if (!zipFile) { delete stream; return 0; }

- SVN snapshot from trunk, 2010-02-28

Ticket imported from: #2965108. Ticket imported from: bugs/4802.

Change History (4)

comment:1 by lordhoto, 15 years ago

This was already fixed with r48154 on 28-02-2010.

comment:2 by lordhoto, 15 years ago

Owner: set to hkzlab
Resolution: fixed
Status: newclosed
Summary: scummvm crash on startup (zip file handling)UNZIP: Double free causes crash

comment:3 by SF/chkr, 15 years ago

I had roughly scanned the changes in SVN before writing the bug report, but somehow I've missed this bug fix. I have just re-tested it with current snapshot (2010-03-07) and the problem does not happen anymore. Thank you very much.

comment:4 by digitall, 6 years ago

Component: --Other--
Note: See TracTickets for help on using tickets.