I saw this with ASAN on when playing around with scripts that register menu items:
==1190545==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200002ac40 at pc 0x5570e0758f3b bp 0x7ffd807f2ca0 sp 0x7ffd807f2c90
READ of size 8 at 0x61200002ac40 thread T0
#0 0x5570e0758f3a in mb2FreeGetText ../fontforgeexe/windowmenu.c:312
#1 0x5570e0758ef9 in mb2FreeGetText ../fontforgeexe/windowmenu.c:316
#2 0x5570e043b8cc in FontViewFinish ../fontforgeexe/fontview.c:7034
#3 0x5570e043b8eb in FontViewFinishNonStatic ../fontforgeexe/fontview.c:7039
#4 0x5570e070e28e in fontforge_main ../fontforgeexe/startui.c:1441
#5 0x5570e0063da8 in main ../fontforgeexe/main.c:33
#6 0x7f2210465151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
#7 0x5570e0063cbd in _start (/usr/bin/fontforge+0x160cbd)
0x61200002ac40 is located 0 bytes inside of 288-byte region [0x61200002ac40,0x61200002ad60)
freed by thread T0 here:
#0 0x7f2212ac883a in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:164
#1 0x5570e063b510 in InsertSubMenus ../fontforgeexe/pythonui.c:246
#2 0x5570e063bd44 in PyFF_registerMenuItem ../fontforgeexe/pythonui.c:314
#3 0x7f22113e82a1 (/usr/lib/libpython3.9.so.1.0+0x14c2a1)
previously allocated by thread T0 here:
#0 0x7f2212ac883a in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:164
#1 0x5570e063b510 in InsertSubMenus ../fontforgeexe/pythonui.c:246
#2 0x5570e063bd44 in PyFF_registerMenuItem ../fontforgeexe/pythonui.c:314
#3 0x7f22113e82a1 (/usr/lib/libpython3.9.so.1.0+0x14c2a1)
The relevant lines in InsertSubMenus() are:
if ( *mn==NULL || (*mn)[j].ti.text==NULL ) {
*mn = realloc(*mn,(j+2)*sizeof(GMenuItem2));
memset(*mn+j,0,2*sizeof(GMenuItem2));
}
So presumably when that realloc changes the pointer something still has a hold on the old one.
mb2FreeGetText() takes the menu structure as an argument.
I saw this with ASAN on when playing around with scripts that register menu items:
The relevant lines in
InsertSubMenus()are:So presumably when that realloc changes the pointer something still has a hold on the old one.
mb2FreeGetText()takes the menu structure as an argument.