shp2img: double free or corruption

[wturner]

shp2img gets this:

* glibc detected * shp2img: double free or corruption (fasttop): 0x095b78b0 * ======= Backtrace: ========= /lib/libc.so.6[0xb550f1] /lib/libc.so.6(cfree+0x90)[0xb58bc0] shp2img[0x8050f06] /lib/libc.so.6(libc_start_main+0xdc)[0xb01e8c] shp2img[0x8050601] ======= Memory map: ======== ...

It occurs when multiple layers are listed in the mapfile, and some (but not all) of those layers are listed in the '-l' argument to shp2img.

It appears that in shp2img.c, while looping through the '-l' argument list, the name of a (possibly bad) layer is remembered via:

invalid_layer = strdup(layers[j]);

If that layer is found later, the string is freed with:

if (invalid_layer)

free(invalid_layer);

which causes the double free error.

It seems that all the loop needs to do is remember the index of the list, not a strdup of the string. Doing that seems to work, and eliminates the double free problem.

Don't know if this is correct or not, but the patch below works for me.

=============================================================== --- shp2img.c-strdup 2009-11-04 13:53:23.000000000 +0000 +++ shp2img.c 2010-07-20 13:38:39.000000000 +0000 @@ -43,7 +43,7 @@

int num_layers=0;

int layer_found=0;

• char *invalid_layer=NULL;

+ int invalid_layer = -1;

char *outfile=NULL; /* no -o sends image to STDOUT */

@@ -263,18 +263,14 @@

break;

} else {

• if (invalid_layer)
• free(invalid_layer);
• invalid_layer = strdup(layers[j]);

+ invalid_layer = j;

}

} if (layer_found==0) {

• fprintf(stderr, "Layer (-l) %s not found\n", invalid_layer);

+ fprintf(stderr, "Layer (-l) %s not found\n", layers[invalid_layer]);

msCleanup(); exit(0);

}

• if (invalid_layer)
• free(invalid_layer);

}

for(j=0; j<map->numlayers; j++) {

===============================================================

[aboudreault]

Fixed and committed in r10647.