From 092bdf3d32d0ee71c04ace21c74ae240bd4ec6ae Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Sat, 6 Sep 2008 15:31:55 +0200
Subject: tag: fix segfault on update

clearMpdTag could be called on a tag that was still in a
tag_begin_add transaction before tag_end_add is called.  This
was causing free() to attempt to operate on bulk.items; which is
un-free()-able.  Now instead we unmark the bulk.busy to avoid
committing the tags to the heap only to be immediately freed.

Additionally, we need to remember to call tag_end_add() when
a song is updated before we NULL song->tag to avoid tripping
an assertion the next time tag_begin_add() is called.
---
 src/song.c |  1 +
 src/tag.c  | 35 +++++++++++++++++++++--------------
 2 files changed, 22 insertions(+), 14 deletions(-)

(limited to 'src')

diff --git a/src/song.c b/src/song.c
index 8651a010..067ce440 100644
--- a/src/song.c
+++ b/src/song.c
@@ -202,6 +202,7 @@ static void insertSongIntoList(SongList * list, ListNode ** nextSongNode,
 		Song *tempSong = (Song *) ((*nextSongNode)->data);
 		if (tempSong->mtime != song->mtime) {
 			tag_free(tempSong->tag);
+			tag_end_add(song->tag);
 			tempSong->tag = song->tag;
 			tempSong->mtime = song->mtime;
 			song->tag = NULL;
diff --git a/src/tag.c b/src/tag.c
index d76ba5d9..6e31a165 100644
--- a/src/tag.c
+++ b/src/tag.c
@@ -26,6 +26,19 @@
 #include "tagTracker.h"
 #include "song.h"
 
+/**
+ * Maximum number of items managed in the bulk list; if it is
+ * exceeded, we switch back to "normal" reallocation.
+ */
+#define BULK_MAX 64
+
+static struct {
+#ifndef NDEBUG
+	int busy;
+#endif
+	struct tag_item *items[BULK_MAX];
+} bulk;
+
 const char *mpdTagItemKeys[TAG_NUM_OF_ITEM_TYPES] = {
 	"Artist",
 	"Album",
@@ -288,8 +301,15 @@ static void clearMpdTag(struct tag *tag)
 		tag_pool_put_item(tag->items[i]);
 	}
 
-	if (tag->items)
+	if (tag->items == bulk.items) {
+#ifndef NDEBUG
+		assert(bulk.busy);
+		bulk.busy = 0;
+#endif
+	} else if (tag->items) {
 		free(tag->items);
+	}
+
 	tag->items = NULL;
 
 	tag->numOfItems = 0;
@@ -363,19 +383,6 @@ static inline const char *fix_utf8(const char *str, size_t *length_r) {
 	return temp;
 }
 
-/**
- * Maximum number of items managed in the bulk list; if it is
- * exceeded, we switch back to "normal" reallocation.
- */
-#define BULK_MAX 64
-
-static struct {
-#ifndef NDEBUG
-	int busy;
-#endif
-	struct tag_item *items[BULK_MAX];
-} bulk;
-
 void tag_begin_add(struct tag *tag)
 {
 	assert(!bulk.busy);
-- 
cgit v1.2.3