# HG changeset patch # User Matti Hamalainen # Date 1206787938 -7200 # Node ID 6039012d8252118ac4d4c164ecc9fa52e45cda94 # Parent 2848669e63a4e9ad9e8f1ae421b773bc66aa3b1d Certain piece of allocated memory was free'd before we were done with it, causing mayhem of accessing (read only, tho) of unassigned memory. Fixed, should close bugzilla #199. diff -r 2848669e63a4 -r 6039012d8252 src/madplug/input.c --- a/src/madplug/input.c Sat Mar 29 12:14:17 2008 +0200 +++ b/src/madplug/input.c Sat Mar 29 12:52:18 2008 +0200 @@ -199,17 +199,16 @@ *(tmp + tmp_len) = 0; //terminate ptr += tmp_len; + /* id3_genre_name may, in some cases, return the given string + * so we must free it after we're done, not before. + */ genre = (id3_ucs4_t *)id3_genre_name((const id3_ucs4_t *)tmp); + tmp_len = mad_ucs4len(genre); + memcpy(ret + ret_len, genre, BYTES(tmp_len)); + ret_len += tmp_len; + *(ret + ret_len) = 0; //terminate g_free(tmp); - tmp = NULL; - - if (genre) { - tmp_len = mad_ucs4len(genre); - memcpy(ret + ret_len, genre, BYTES(tmp_len)); - ret_len += tmp_len; - } - *(ret + ret_len) = 0; //terminate } } else { @@ -235,18 +234,17 @@ *(tmp + tmp_len) = 0; //terminate ptr += tmp_len; + /* id3_genre_name may, in some cases, return the given string + * so we must free it after we're done, not before. + */ genre = (id3_ucs4_t *)id3_genre_name((const id3_ucs4_t *)tmp); AUDDBG("genre length = %d\n", mad_ucs4len(genre)); - + + tmp_len = mad_ucs4len(genre); + memcpy(ret + ret_len, genre, BYTES(tmp_len)); + ret_len += tmp_len; + *(ret + ret_len) = 0; //terminate g_free(tmp); - tmp = NULL; - - if (genre) { - tmp_len = mad_ucs4len(genre); - memcpy(ret + ret_len, genre, BYTES(tmp_len)); - ret_len += tmp_len; - } - *(ret + ret_len) = 0; //terminate } else { // plain text tmp_len = end - ptr;