glibc double free or corruption

I did not find this potential bug already posted.  Thus, I wanted to share it.

In certain situations when a VMware image (handler) has become corrupted, specifically its associated snapshot, and one calls the VIX API a glibc double free error will occur.  This leads to a SIGABRT and an immediate termination of the application.

The specs on the machine and API are as follows:

VIX API v1.2 (32 bit)

OS: Linux Red Hat Enterprise 4

(gdb) run

Starting program: /home/shasta/VIX_Tester_32/cj_tester

Reading symbols from shared object read from target memory...done.

Loaded system supplied DSO at 0xffffe000

going to call VixVM_Open()

Got open now wait for call....

Done waiting...

• glibc detected *** double free or corruption (fasttop): 0x083842d0 ***

Program received signal SIGABRT, Aborted.

0xffffe410 in __kernel_vsyscall ()

(gdb) bt

#0  0xffffe410 in __kernel_vsyscall ()

#1  0x0050c7a5 in raise () from /lib/tls/libc.so.6

#2  0x0050e209 in abort () from /lib/tls/libc.so.6

#3  0x0054071a in __libc_message () from /lib/tls/libc.so.6

#4  0x00546fbf in intfree () from /lib/tls/libc.so.6

#5  0x0054733a in free () from /lib/tls/libc.so.6

#6  0xf7c7bbf6 in VixVM_GetCurrentSnapshot ()

   from /home/shasta/VIX_Tester_32/vmware-vix-distrib/vmware-vix/lib/ws-3/32bit/libvix.so

#7  0x0804a5eb in getCurrentSnapshot (

    vmxFilePath=0xffffd470 "/apps/Symantec/shasta/analysis/VMWareSessions/vmxphomesp2_5/vmxphomesp2_5.vmx")

at VMWareController.cpp:422

#8  0x0804aa6b in main () at cj_tester.cpp:12

You'll see that when the program calls VixVM_GetCurrentSnapshot() that the double free occurs.  Is it possible for the API to appropriately check and determine if the VM Handle is possible corrupt or at least has no allocate for it.  This would potentially eliminate the double free.

Below is my sample code that calls VixVM_GetCurrentSnapshot()

int getCurrentSnapshot(const char vmxFilePath[]) {

        /* Retrieve the current snapshot associated with a VM Images */

        VixError err;

        VixHandle vmHandle = GetHandleMap()->GetHandle(std::string(vmxFilePath));

        VixHandleWrapper snapshotHandle (VIX_INVALID_HANDLE);

       err = VixVM_GetCurrentSnapshot(vmHandle, snapshotHandle.GetHandleByPtr());      /* <----

SIGABRT occurs here */

        if (VIX_OK != err || snapshotHandle.GetHandle() == VIX_INVALID_HANDLE) {

#ifdef ERROR

                printf("Error getting snapshot handle: %s \n", Vix_GetErrorText(err, NULL));

#endif

                return err;

        }

        char* snapshotName = NULL;

        err = Vix_GetProperties(snapshotHandle.GetHandle(), VIX_PROPERTY_SNAPSHOT_DISPLAYNAME, &snapshotName, VIX_PROPERTY_NONE);

        char sName[strlen(snapshotName)];

        strcpy(sName, snapshotName);

        Vix_FreeBuffer(snapshotName);

        return 0;

}