Double-free using elan driver
There was a double-free caught by the glibc in the elan driver while trying to use the libfprint v2 port of fprintd. The process was list, enroll, list, and try to verify, with fprintd running continuously with the -t
option.
#0 0x00007f48b7b4f625 in raise () from /lib64/libc.so.6
#1 0x00007f48b7b388d9 in abort () from /lib64/libc.so.6
#2 0x00007f48b7b934af in __libc_message () from /lib64/libc.so.6
#3 0x00007f48b7b9aa9c in malloc_printerr () from /lib64/libc.so.6
#4 0x00007f48b7b9c92c in _int_free () from /lib64/libc.so.6
#5 0x00007f48b817ecec in elan_dev_reset_state (elandev=elandev@entry=0x5c60f0) at ../../../../Projects/jhbuild/libfprint/libfprint/drivers/elan.c:110
#6 0x00007f48b817f6cf in elan_activate (dev=0x5c60f0) at ../../../../Projects/jhbuild/libfprint/libfprint/drivers/elan.c:887
#7 dev_activate (dev=0x5c60f0) at ../../../../Projects/jhbuild/libfprint/libfprint/drivers/elan.c:945
#8 0x00007f48b8158de5 in fp_image_device_activate (self=self@entry=0x5c60f0) at ../../../../Projects/jhbuild/libfprint/libfprint/fp-image-device.c:125
#9 0x00007f48b8159451 in fp_image_device_start_capture_action (device=0x5c60f0) at ../../../../Projects/jhbuild/libfprint/libfprint/fp-image-device.c:282
#10 0x00007f48b814fd42 in fp_device_verify (device=0x5c60f0, enrolled_print=0x5e8750, cancellable=0x7f48ac004de0, callback=callback@entry=0x407470 <verify_cb>, user_data=user_data@entry=0x5b5670)
at ../../../../Projects/jhbuild/libfprint/libfprint/fp-device.h:32
#11 0x0000000000407199 in fprint_device_verify_start (rdev=<optimized out>, finger_name=<optimized out>, context=<optimized out>) at /home/hadess/Projects/jhbuild/fprintd/src/device.c:906
#12 0x00007f48b80d9f56 in object_registration_message () from /lib64/libdbus-glib-1.so.2
#13 0x00007f48b809d0b8 in _dbus_object_tree_dispatch_and_unlock () from /lib64/libdbus-1.so.3
#14 0x00007f48b808d764 in dbus_connection_dispatch () from /lib64/libdbus-1.so.3
#15 0x00007f48b80ebb79 in message_queue_dispatch () from /lib64/libdbus-glib-1.so.2
#16 0x00007f48b7d4cc0d in g_main_dispatch (context=0x5b3f30) at ../../../../Projects/jhbuild/glib/glib/gmain.c:3185
#17 g_main_context_dispatch (context=context@entry=0x5b3f30) at ../../../../Projects/jhbuild/glib/glib/gmain.c:3850
#18 0x00007f48b7d4ce60 in g_main_context_iterate (context=0x5b3f30, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../../../../Projects/jhbuild/glib/glib/gmain.c:3923
#19 0x00007f48b7d4d133 in g_main_loop_run (loop=0x5b9450) at ../../../../Projects/jhbuild/glib/glib/gmain.c:4117
#20 0x0000000000404ebc in main (argc=<optimized out>, argv=<optimized out>) at /home/hadess/Projects/jhbuild/fprintd/src/main.c:203
(gdb) frame 5
#5 0x00007f48b817ecec in elan_dev_reset_state (elandev=elandev@entry=0x5c60f0) at ../../../../Projects/jhbuild/libfprint/libfprint/drivers/elan.c:110
110 g_free (elandev->last_read);
(gdb) list
105 elandev->cmd = NULL;
106 elandev->cmd_timeout = ELAN_CMD_TIMEOUT;
107
108 elandev->calib_status = 0;
109
110 g_free (elandev->last_read);
111 elandev->last_read = NULL;
112
113 g_slist_free_full (elandev->frames, g_free);
114 elandev->frames = NULL;
(gdb) p elandev
$1 = (FpiDeviceElan *) 0x5c60f0
(gdb) p elandev->last_read
$2 = (unsigned char *) 0x5f80a0 "\200aͷH\177"