aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Wong <normalperson@yhbt.net>2008-09-06 15:31:55 +0200
committerMax Kellermann <max@duempel.org>2008-09-06 15:31:55 +0200
commit092bdf3d32d0ee71c04ace21c74ae240bd4ec6ae (patch)
treeeefc3c842ab1af3b75d9827ffd7923a437fe62f1
parent6146d4f5bbb800a1499ab23ea8cc997e97d6cb06 (diff)
downloadmpd-092bdf3d32d0ee71c04ace21c74ae240bd4ec6ae.tar.gz
mpd-092bdf3d32d0ee71c04ace21c74ae240bd4ec6ae.tar.xz
mpd-092bdf3d32d0ee71c04ace21c74ae240bd4ec6ae.zip
tag: fix segfault on update
clearMpdTag could be called on a tag that was still in a tag_begin_add transaction before tag_end_add is called. This was causing free() to attempt to operate on bulk.items; which is un-free()-able. Now instead we unmark the bulk.busy to avoid committing the tags to the heap only to be immediately freed. Additionally, we need to remember to call tag_end_add() when a song is updated before we NULL song->tag to avoid tripping an assertion the next time tag_begin_add() is called.
-rw-r--r--src/song.c1
-rw-r--r--src/tag.c35
2 files changed, 22 insertions, 14 deletions
diff --git a/src/song.c b/src/song.c
index 8651a0100..067ce440a 100644
--- a/src/song.c
+++ b/src/song.c
@@ -202,6 +202,7 @@ static void insertSongIntoList(SongList * list, ListNode ** nextSongNode,
Song *tempSong = (Song *) ((*nextSongNode)->data);
if (tempSong->mtime != song->mtime) {
tag_free(tempSong->tag);
+ tag_end_add(song->tag);
tempSong->tag = song->tag;
tempSong->mtime = song->mtime;
song->tag = NULL;
diff --git a/src/tag.c b/src/tag.c
index d76ba5d95..6e31a1651 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -26,6 +26,19 @@
#include "tagTracker.h"
#include "song.h"
+/**
+ * Maximum number of items managed in the bulk list; if it is
+ * exceeded, we switch back to "normal" reallocation.
+ */
+#define BULK_MAX 64
+
+static struct {
+#ifndef NDEBUG
+ int busy;
+#endif
+ struct tag_item *items[BULK_MAX];
+} bulk;
+
const char *mpdTagItemKeys[TAG_NUM_OF_ITEM_TYPES] = {
"Artist",
"Album",
@@ -288,8 +301,15 @@ static void clearMpdTag(struct tag *tag)
tag_pool_put_item(tag->items[i]);
}
- if (tag->items)
+ if (tag->items == bulk.items) {
+#ifndef NDEBUG
+ assert(bulk.busy);
+ bulk.busy = 0;
+#endif
+ } else if (tag->items) {
free(tag->items);
+ }
+
tag->items = NULL;
tag->numOfItems = 0;
@@ -363,19 +383,6 @@ static inline const char *fix_utf8(const char *str, size_t *length_r) {
return temp;
}
-/**
- * Maximum number of items managed in the bulk list; if it is
- * exceeded, we switch back to "normal" reallocation.
- */
-#define BULK_MAX 64
-
-static struct {
-#ifndef NDEBUG
- int busy;
-#endif
- struct tag_item *items[BULK_MAX];
-} bulk;
-
void tag_begin_add(struct tag *tag)
{
assert(!bulk.busy);