Jeremy wrote:
On Sat, May 24, 2008 at 08:04:19PM +0100, Jeremy Henty wrote:
Reviewing the rest of nav.c I think there is a similar potential problem with Nav_stack_insert() , which also modifies bw->nav_stack .
On second thoughts, Nav_stack_insert() seems broken. It frees the pointer at the insertion point, so it clearly expects the new item to replace the old. But then it calls dList_insert_pos() which does *not* replace the item at the insertion point, instead it extends the list and moves everything up to make space. So now we have a freed pointer in bw->nav_stack .
Either Nav_stack_insert() should not be freeing the pointer or it should call a dList_*() function that replaces the item it has freed. Which?
Since it looks like Nav_stack_truncate() already got rid of everything at stack_idx and beyond, maybe Nav_stack_insert() could be replaced by a Nav_stack_append() function.