On a recent amd64 snapshot I ran into this:
(inside a tmux session session)
$ tmux new-window
$ tmux capture-pane -S -
$ tmux save-buffer /tmp/mybuf
$ hexdump -Cv /tmp/mybuf
00000000 df df df df df df df df df df df df df df df df |................|
00000010 df df df df df df df df df df df df df df df df |................|
00000020 df df df df df df df df df df df df df df df df |................|
00000030 df df df df df df df df df df df df df df df df |................|
00000040 df df df df df df df df df df df df df df df df |................|
00000050 df df df df df df df df df df df df df df df df |................|
00000060 df df df df |....|
00000064
$
The problem was introduced in the latest commit to
cmd-capture-pane.c (revision 1.33).
In case paste_set(buf, ...) succeeded, buf must not be freed because
then nodes in the paste_by_name and paste_by_time trees will point to
it. Thus, the last free(buf) before returning is incorrect. On the
other hand, evbuffer_add() appends buf to c->stdout_data, so we should
free(buf) there.
Index: usr.bin/tmux/cmd-capture-pane.c
===================================================================
RCS file: /cvs/src/usr.bin/tmux/cmd-capture-pane.c,v
retrieving revision 1.33
diff -u -p -r1.33 cmd-capture-pane.c
--- usr.bin/tmux/cmd-capture-pane.c 7 Oct 2015 09:52:58 -0000 1.33
+++ usr.bin/tmux/cmd-capture-pane.c 16 Oct 2015 07:25:25 -0000
@@ -200,11 +200,11 @@ cmd_capture_pane_exec(struct cmd *self,
return (CMD_RETURN_ERROR);
}
evbuffer_add(c->stdout_data, buf, len);
+ free(buf);
if (args_has(args, 'P') && len > 0)
evbuffer_add(c->stdout_data, "\n", 1);
server_push_stdout(c);
} else {
-
bufname = NULL;
if (args_has(args, 'b'))
bufname = args_get(args, 'b');
@@ -217,6 +217,5 @@ cmd_capture_pane_exec(struct cmd *self,
}
}
- free(buf);
return (CMD_RETURN_NORMAL);
}
