← Back to team overview

kicad-developers team mailing list archive

[PATCH] Fix use-after-release in SYMBOL_LIB_TABLE::Parse()

 

I stumbled upon this in SYMBOL_LIB_TABLE::Parse():

    if( !InsertRow( row.release() ) )
    {
        wxString msg = wxString::Format(
                            _( "'%s' is a duplicate symbol library nickname" ),
                            GetChars( row->GetNickName() ) );

I got a segfault from this, because the error message accesses row after
row.release() has given up ownership.

I'm not sure what the status of the new symbol library table code is at this
point, but I thought I might as well mention it. Attached patch fixes the
segfault.

Hope this helps,

 - Kristian.

diff --git a/eeschema/symbol_lib_table.cpp b/eeschema/symbol_lib_table.cpp
index 5ed5565..556abf1 100644
--- a/eeschema/symbol_lib_table.cpp
+++ b/eeschema/symbol_lib_table.cpp
@@ -185,13 +185,13 @@ void SYMBOL_LIB_TABLE::Parse( LIB_TABLE_LEXER* in )
         // use doReplace in InsertRow().  (However a fallBack table can have a
         // conflicting nickName and ours will supercede that one since in
         // FindLib() we search this table before any fall back.)
+        // Note that we need to format the error message in advance, as the
+        // ownership of the row pointer is passed to InsertRow().
+        wxString msg = wxString::Format(
+                            _( "'%s' is a duplicate symbol library nickname" ),
+                            GetChars( row->GetNickName() ) );
         if( !InsertRow( row.release() ) )
-        {
-            wxString msg = wxString::Format(
-                                _( "'%s' is a duplicate symbol library nickname" ),
-                                GetChars( row->GetNickName() ) );
             THROW_PARSE_ERROR( msg, in->CurSource(), in->CurLine(), lineNum, offset );
-        }
     }
 }
 

Follow ups