From dae93920d513842f6c9a96e833043f3f6f8e0681 Mon Sep 17 00:00:00 2001 From: Robin Watts Date: Tue, 6 Mar 2012 19:34:06 +0000 Subject: Fix ref counting bugs in race condition correction code. When we attempt to insert a key/value pair into the store, we have to allow for the possibility that a racing thread may have already inserted an equivalent key/value. We have special code in place to handle this eventuality; if we spot an existing entry, we take the existing one in preference to our new key/value pair. This means that fz_store_item needs to take a new reference to any existing thing it finds before returning it. Currently the only store user that is exposed to this possibility is pdf_image; it spots an existing tile being returned, and was inadvertently double freeing the key. --- fitz/res_store.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'fitz') diff --git a/fitz/res_store.c b/fitz/res_store.c index 2a7680e3..cc635052 100644 --- a/fitz/res_store.c +++ b/fitz/res_store.c @@ -266,14 +266,15 @@ fz_store_item(fz_context *ctx, void *key, void *val_, unsigned int itemsize, fz_ } if (existing) { + /* Take a new reference */ + existing->val->refs++; fz_unlock(ctx, FZ_LOCK_ALLOC); fz_free(ctx, item); return existing->val; } } /* Now we can never fail, bump the ref */ - if (val->refs > 0) - val->refs++; + val->refs++; /* Regardless of whether it's indexed, it goes into the linked list */ item->next = store->head; if (item->next) -- cgit v1.2.3