From 487584b7841f781adbe41baa7398346b2e827cef Mon Sep 17 00:00:00 2001
From: Rene Liebscher <r.liebscher@gmx.de>
Date: Mon, 14 Apr 2014 21:41:43 +0000
Subject: [PATCH] bug #42056: double free or corruption triggered at exit *
 pgm.c: copy usbpid list in pgm_dup

git-svn-id: svn://svn.savannah.nongnu.org/avrdude/trunk/avrdude@1298 81a1dc3b-b13d-400b-aceb-764788c761c2
---
 ChangeLog |  5 +++++
 pgm.c     | 14 ++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index fe8d07f2..733760b8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2014-04-14  Rene Liebscher <R.Liebscher@gmx.de>
+
+	bug #42056: double free or corruption triggered at exit
+	* pgm.c: copy usbpid list in pgm_dup
+
 2014-04-05  Joerg Wunsch <j.gnu@uriah.heep.sax.de>
 
 	* avrdude.1: Remove the note that users might edit the system-wide
diff --git a/pgm.c b/pgm.c
index 88a6ac3d..897917a6 100644
--- a/pgm.c
+++ b/pgm.c
@@ -143,6 +143,7 @@ void pgm_free(PROGRAMMER * const p)
   ldestroy_cb(p->id, free);
   ldestroy_cb(p->usbpid, free);
   p->id = NULL;
+  p->usbpid = NULL;
   /* this is done by pgm_teardown, but usually cookie is not set to NULL */
   /* if (p->cookie !=NULL) {
     free(p->cookie);
@@ -154,6 +155,7 @@ void pgm_free(PROGRAMMER * const p)
 PROGRAMMER * pgm_dup(const PROGRAMMER * const src)
 {
   PROGRAMMER * pgm;
+  LNODEID ln;
 
   pgm = (PROGRAMMER *)malloc(sizeof(*pgm));
   if (pgm == NULL) {
@@ -165,6 +167,18 @@ PROGRAMMER * pgm_dup(const PROGRAMMER * const src)
   memcpy(pgm, src, sizeof(*pgm));
 
   pgm->id = lcreat(NULL, 0);
+  pgm->usbpid = lcreat(NULL, 0);
+
+  for (ln = lfirst(src->usbpid); ln; ln = lnext(ln)) {
+    int *ip = malloc(sizeof(int));
+    if (ip == NULL) {
+      fprintf(stderr, "%s: out of memory allocating programmer structure\n",
+              progname);
+      exit(1);
+    }
+    *ip = *(int *) ldata(ln);
+    ladd(pgm->usbpid, ip);
+  }
 
   return pgm;
 }