Crash with "double free or corruption (!prev)" while exporting simple hypercard stack

[gjanssens]

Hi,

I have cloned your repo and built stackimport on a Fedora 35 64bit system. I then ran it on a simple hypercard stack containing only a handful of cards and backgrounds. No fields, buttons and no resource fork. After exporting the first BMAP (past the default patterns), it crashes with the above error.

For your information I have run in through a debugger as well. Here's the output and backtrace:

$ gdb ./stackimport
GNU gdb (GDB) Fedora 11.1-5.fc35
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./stackimport...
(gdb) r AdvGraphics 
Starting program: /kobaltnet/esmeralda/Kobalt W.I.T./Development/stackimport/stackimport AdvGraphics
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Status: Output package name is '/kobaltnet/esmeralda/Kobalt W.I.T./Development/stackimport/AdvGraphics.xstk/project.xml'
Status: Skipping 'FREE' #0 (2400 bytes)
Status: Skipping 'FREE' #0 (896 bytes)
Status: Found 49 blocks in file.
Progress: 0 of 46
Status: Processing 'STAK' #-1 (2036 bytes)
Progress: 1 of 46
Status: Processing 'FTBL' #3394 D42 (20 bytes)
Progress: 2 of 46
Status: Processing 'STBL' #3227 C9B (20 bytes)
Progress: 3 of 46
Status: Processing 'BKGD' #2587 A1B (52 bytes)
Progress: 4 of 46
Status: Processing 'BKGD' #4185 1059 (52 bytes)
Progress: 5 of 46
Status: Processing 'BKGD' #5222 1466 (52 bytes)
Progress: 6 of 46
Status: Processing 'BKGD' #5892 1704 (52 bytes)
Progress: 7 of 46
Status: Processing 'BKGD' #6698 1A2A (52 bytes)
Progress: 8 of 46
Status: Processing 'BKGD' #8107 1FAB (52 bytes)
Progress: 9 of 46
Status: Processing 'BKGD' #9031 2347 (52 bytes)
Progress: 10 of 46
Status: Processing 'BKGD' #9739 260B (52 bytes)
Progress: 11 of 46
Status: Processing 'BKGD' #12496 30D0 (52 bytes)
Progress: 12 of 46
Status: Processing 'BKGD' #13290 33EA (52 bytes)
Progress: 13 of 46
Status: Processing 'BMAP' #2115 843 (6484 bytes)
double free or corruption (!prev)

Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
Downloading 0.00 MB source file /usr/src/debug/glibc-2.34-12.fc35.x86_64/nptl/pthread_kill.c
44            return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1  0x00007ffff7b058b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7ab86a6 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007ffff7aa27d3 in __GI_abort () at abort.c:79
#4  0x00007ffff7af99f7 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c3668f "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#5  0x00007ffff7b0f83c in malloc_printerr (str=str@entry=0x7ffff7c39230 "double free or corruption (!prev)") at malloc.c:5536
#6  0x00007ffff7b1158c in _int_free (av=0x7ffff7c70aa0 <main_arena>, p=0x44d8d0, have_lock=<optimized out>) at malloc.c:4479
#7  0x00007ffff7b13bd5 in __GI___libc_free (mem=<optimized out>) at malloc.c:3279
#8  0x0000000000404774 in picture::~picture (this=0x7fffffffbb50, __in_chrg=<optimized out>) at picture.cpp:104
#9  0x000000000040d123 in CStackFile::LoadFile (this=0x7fffffffd2b0, fpath="/kobaltnet/esmeralda/Kobalt W.I.T./Development/stackimport/AdvGraphics")
    at CStackFile.cpp:1845
#10 0x00000000004067ed in main (argc=2, argv=0x7fffffffd588) at main.cpp:68
(gdb) frame 8
#8  0x0000000000404774 in picture::~picture (this=0x7fffffffbb50, __in_chrg=<optimized out>) at picture.cpp:104
104                     delete [] bitmap;
(gdb) print bitmaplength
$1 = 21888
(gdb) print this
$2 = (picture * const) 0x7fffffffbb50
(gdb) print *this
$3 = {width = 512, height = 342, depth = 1, greyscalemask = false, rowlength = 64, maskrowlength = 64, bitmaplength = 21888, 
  bitmap = 0x44d8e0 '\377' <repeats 200 times>..., masklength = 21888, 
  mask = 0x452e70 "w\277rwj\252\250\210\210\210\252\250\210\235", '\377' <repeats 186 times>...}
(gdb) q
A debugging session is active.

        Inferior 1 [process 52945] will be killed.

Quit anyway? (y or n) y

[gjanssens]

If I skip deleting bitmap and mask pointers in the picture destructor, I get a little bit further, but it now segmentation faults 4 bitmaps later...

[uliwitness]

I hope to be able to get to this soon. It might be some simple mistake I made somewhere, but if not, could you supply a link to the stack you're decoding, if it's not too much effort?

[gjanssens]

I can provide it to you, but I prefer not to have it linked publicly here on github. Can I send it to you using the e-mail address I found on your website (zathras) ? It's only about 64kb - it's that old...