Fossil SCM
An attempt to fix a "double free crash" from the previous check-in.
Commit
18c9d1036830498093e3ebcb88f2ab9a66a3133864ad4e1279c546c145ede49a
Parent
544df852b2d9a1e…
1 file changed
+11
-1
+11
-1
| --- src/markdown.c | ||
| +++ src/markdown.c | ||
| @@ -2610,11 +2610,21 @@ | ||
| 2610 | 2610 | /* move redundant elements to the end of array and truncate/resize */ |
| 2611 | 2611 | qsort(fn, rndr.notes.nLbled, sizeof(struct footnote), cmp_footnote_id); |
| 2612 | 2612 | i = rndr.notes.nLbled; |
| 2613 | 2613 | while( i && !blob_size(&fn[i-1].id) ){ i--; } |
| 2614 | 2614 | rndr.notes.nLbled = i; |
| 2615 | - blob_truncate( &rndr.notes.all, i*sizeof(struct footnote) ); | |
| 2615 | + blob_resize( &rndr.notes.all, i*sizeof(struct footnote) ); | |
| 2616 | + | |
| 2617 | + /* FIXME: It was expected to work via truncation: | |
| 2618 | + * | |
| 2619 | + * blob_truncate( &rndr.notes.all, i*sizeof(struct footnote) ); | |
| 2620 | + * | |
| 2621 | + * but that way it crashes with | |
| 2622 | + * | |
| 2623 | + * free(): double free detected in tcache 2 | |
| 2624 | + * | |
| 2625 | + * This is strange. */ | |
| 2616 | 2626 | } |
| 2617 | 2627 | assert( COUNT_FOOTNOTES(&rndr.notes.all) == rndr.notes.nLbled ); |
| 2618 | 2628 | fn = CAST_AS_FOOTNOTES(&rndr.notes.all); |
| 2619 | 2629 | for(i=0; i<rndr.notes.nLbled; i++){ |
| 2620 | 2630 | fn[i].index = i; |
| 2621 | 2631 |
| --- src/markdown.c | |
| +++ src/markdown.c | |
| @@ -2610,11 +2610,21 @@ | |
| 2610 | /* move redundant elements to the end of array and truncate/resize */ |
| 2611 | qsort(fn, rndr.notes.nLbled, sizeof(struct footnote), cmp_footnote_id); |
| 2612 | i = rndr.notes.nLbled; |
| 2613 | while( i && !blob_size(&fn[i-1].id) ){ i--; } |
| 2614 | rndr.notes.nLbled = i; |
| 2615 | blob_truncate( &rndr.notes.all, i*sizeof(struct footnote) ); |
| 2616 | } |
| 2617 | assert( COUNT_FOOTNOTES(&rndr.notes.all) == rndr.notes.nLbled ); |
| 2618 | fn = CAST_AS_FOOTNOTES(&rndr.notes.all); |
| 2619 | for(i=0; i<rndr.notes.nLbled; i++){ |
| 2620 | fn[i].index = i; |
| 2621 |
| --- src/markdown.c | |
| +++ src/markdown.c | |
| @@ -2610,11 +2610,21 @@ | |
| 2610 | /* move redundant elements to the end of array and truncate/resize */ |
| 2611 | qsort(fn, rndr.notes.nLbled, sizeof(struct footnote), cmp_footnote_id); |
| 2612 | i = rndr.notes.nLbled; |
| 2613 | while( i && !blob_size(&fn[i-1].id) ){ i--; } |
| 2614 | rndr.notes.nLbled = i; |
| 2615 | blob_resize( &rndr.notes.all, i*sizeof(struct footnote) ); |
| 2616 | |
| 2617 | /* FIXME: It was expected to work via truncation: |
| 2618 | * |
| 2619 | * blob_truncate( &rndr.notes.all, i*sizeof(struct footnote) ); |
| 2620 | * |
| 2621 | * but that way it crashes with |
| 2622 | * |
| 2623 | * free(): double free detected in tcache 2 |
| 2624 | * |
| 2625 | * This is strange. */ |
| 2626 | } |
| 2627 | assert( COUNT_FOOTNOTES(&rndr.notes.all) == rndr.notes.nLbled ); |
| 2628 | fn = CAST_AS_FOOTNOTES(&rndr.notes.all); |
| 2629 | for(i=0; i<rndr.notes.nLbled; i++){ |
| 2630 | fn[i].index = i; |
| 2631 |