> > is created to fix a use-after-free bug that could cause bibview to crash > > in some circumstances. Also, the patch file > > Can you give steps to reproduce? There is a change in this area in some > other OS packages and I'm wondering if that will help without removing > the tempfile cleanup.
To reproduce the crash, do the following: (1) On the command-line, type bibview to run bibview. (2) Click the File>New menu item in the main window. (3) A bibliography window will pop up. In this window, click the New>misc menu item. (4) A card window will pop up. In this window, click Save, then click Close. (5) In the bibliography window, click Close. (6) A dialog box will pop up, asking whether you really want to close. Click Close in the dialog box. bibview will then crash with a "Bus error". The crash occurs while evaluating the closeCmdOk function that appears in the ctl_save.c file. Initially, gbp->tempfile points to a pathname for a temporary file, and gbp->macrofile is the null pointer. But then gubCloseBibWin(gbp) is called. Inside this function, the variable bp has the value of gbp. Then glbDelBibListEl(bp) is called. This function unlinks the tempfile from its directory, then calls XtFree((char *)bp->tempfile) and XtFree((char *)bn), freeing the memory that held the pathname. OpenBSD changes bp->macrofile from NULL to 0xdfdfdfdfdfdfdfdf. Then, when we return to closeCmdOk, bibview attempts to read the pathname that has already been freed, causing a crash. But the code that causes the crash in the closeCmdOk function can be deleted, because it's trying to remove a temporary file that has already been removed using the unlink function. (There is a possibility that an error condition could cause glbDelBibListEl to return without unlinking the tempfile. But the file is in the /tmp directory, so it will eventually be removed by the operating system, anyway.)
