From: Mikhail Rasputin <mikhail.godlike.rasputin@yandex.ru>
Date: Wed, 24 Jun 2020 16:21:31 +0000 (+0300)
Subject: jtag/tcl: fix a double free of jim object
X-Git-Url: https://git.gag.com/?a=commitdiff_plain;h=70f69f872857fd94ed252088d00e071e57d07b39;p=fw%2Fopenocd

jtag/tcl: fix a double free of jim object

The Jim_SetResultFormatted() frees jim object earlier and the
Jim_FreeNewObj() does it second time. It breaks the memory heap.

To avoid it the Jim_IncrRefCount() + Jim_DecrRefCount() should be used
instead of the Jim_FreeNewObj() call.

Change-Id: Ifa5f38009b2d617624b5f27e916720888a3dbad9
Signed-off-by: Mikhail Rasputin <mikhail.godlike.rasputin@yandex.ru>
Reviewed-on: http://openocd.zylin.com/5724
Tested-by: jenkins
Reviewed-by: Antonio Borneo <borneo.antonio@gmail.com>
---

diff --git a/src/jtag/tcl.c b/src/jtag/tcl.c
index d2f1f0db5..8b76bff07 100644
--- a/src/jtag/tcl.c
+++ b/src/jtag/tcl.c
@@ -689,8 +689,9 @@ static int jim_jtag_arp_init(Jim_Interp *interp, int argc, Jim_Obj *const *argv)
 	int e = jtag_init_inner(context);
 	if (e != ERROR_OK) {
 		Jim_Obj *eObj = Jim_NewIntObj(goi.interp, e);
+		Jim_IncrRefCount(eObj);
 		Jim_SetResultFormatted(goi.interp, "error: %#s", eObj);
-		Jim_FreeNewObj(goi.interp, eObj);
+		Jim_DecrRefCount(goi.interp, eObj);
 		return JIM_ERR;
 	}
 	return JIM_OK;
@@ -713,8 +714,9 @@ static int jim_jtag_arp_init_reset(Jim_Interp *interp, int argc, Jim_Obj *const
 
 	if (e != ERROR_OK) {
 		Jim_Obj *eObj = Jim_NewIntObj(goi.interp, e);
+		Jim_IncrRefCount(eObj);
 		Jim_SetResultFormatted(goi.interp, "error: %#s", eObj);
-		Jim_FreeNewObj(goi.interp, eObj);
+		Jim_DecrRefCount(goi.interp, eObj);
 		return JIM_ERR;
 	}
 	return JIM_OK;