Fix double-free bug (!6) · Merge requests · Debian EFI team / libxmlb

In some cases there can be a double free of XbBuilderNode elements. This can happen when a XbBuilderNode is marked to be destroyed when including only the highest priority translation, if any of its childer is also marked to be destroyed there too. In that case, the children is destroyed twice: one when the parent is destroyed, and another when it is destroyed in the loop.

To fix this, this patch increases the refcount of each element added to the 'nodes_to_destroy' ptr_array in the 'xb_builder_xml_lang_prio_cb' function, and defines the ptr_array variable used to manage it with a free function. This guarantees that no element is destroyed twice.

This bug was discovered because it caused a segmentation fault in Gnome Software. Applying this patch fixes it, and removes several errors detected by Valgrind.

This same patch has been merged in upstream (https://github.com/hughsie/libxmlb/pull/127)

Edited Sep 05, 2022 by Sergio Costas

Fix double-free bug

Merge request reports