From e9d4d3aef23b6871d73e880221e0612f07503f62 Mon Sep 17 00:00:00 2001 From: Kalle Olavi Niemitalo Date: Tue, 15 Jul 2008 00:09:27 +0300 Subject: [PATCH] Fix crash after a tab was opened during reload. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit 0b99fa70ca9d0f976655e61adee1a5eebacc0734 "Bug 620: Reset form fields to default values on reload" made render_document() decrement vs->form_info_len to 0 while vs->form_info remained non-NULL. copy_vs() then copied the whole structure with copy_struct and did not change form_info because form_info_len was 0. Both view_state structures had form_info pointing to the same memory block, causing a segfault when destroy_vs() tried to free that block a second time. Reported by أحمد المحمودي. --- NEWS | 2 ++ src/viewer/text/vs.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/NEWS b/NEWS index b01a90a77..7108a8ef8 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,8 @@ generally also includes the bug fixes made in ELinks 0.11.4.GIT. Bugs that should be removed from NEWS before the 0.12.0 release: +* critical: Fix crash after a tab was opened during reload. This was + triggered by the bug 620 fix in ELinks 0.12pre1. * major bug 1026 in user SMJS: Protect the callback of elinks.load_uri from the garbage collector. The elinks.load_uri method was added in ELinks 0.12pre1. diff --git a/src/viewer/text/vs.c b/src/viewer/text/vs.c index d0bbdf522..a7978dbee 100644 --- a/src/viewer/text/vs.c +++ b/src/viewer/text/vs.c @@ -79,6 +79,12 @@ copy_vs(struct view_state *dst, struct view_state *src) dst->ecmascript_fragile = 1; #endif + /* destroy_vs(vs) does mem_free_if(vs->form_info), so each + * view_state must have its own form_info. Normally we make a + * copy below, but not if src->form_info_len is 0, which it + * can be even if src->form_info is not NULL. */ + dst->form_info = NULL; + /* Clean as a baby. */ dst->doc_view = NULL;