jtag/tcl: fix a double free of jim object

The Jim_SetResultFormatted() frees jim object earlier and the
Jim_FreeNewObj() does it second time. It breaks the memory heap.

To avoid it the Jim_IncrRefCount() + Jim_DecrRefCount() should be used
instead of the Jim_FreeNewObj() call.

Change-Id: Ifa5f38009b2d617624b5f27e916720888a3dbad9
Signed-off-by: Mikhail Rasputin <mikhail.godlike.rasputin@yandex.ru>
Reviewed-on: http://openocd.zylin.com/5724
Tested-by: jenkins
Reviewed-by: Antonio Borneo <borneo.antonio@gmail.com>

diff --git a/src/jtag/tcl.c b/src/jtag/tcl.c
index d2f1f0db510c0aea5b2640c2a24f5bedfb52c7dd..8b76bff07e37c25d850b6fcbd62b6996568ea602 100644 (file)
--- a/src/jtag/tcl.c
+++ b/src/jtag/tcl.c
@@ -689,8 +689,9 @@ static int jim_jtag_arp_init(Jim_Interp *interp, int argc, Jim_Obj *const *argv)
        int e = jtag_init_inner(context);
        if (e != ERROR_OK) {
                Jim_Obj *eObj = Jim_NewIntObj(goi.interp, e);
+               Jim_IncrRefCount(eObj);
                Jim_SetResultFormatted(goi.interp, "error: %#s", eObj);
-               Jim_FreeNewObj(goi.interp, eObj);
+               Jim_DecrRefCount(goi.interp, eObj);
                return JIM_ERR;
        }
        return JIM_OK;
@@ -713,8 +714,9 @@ static int jim_jtag_arp_init_reset(Jim_Interp *interp, int argc, Jim_Obj *const
 
        if (e != ERROR_OK) {
                Jim_Obj *eObj = Jim_NewIntObj(goi.interp, e);
+               Jim_IncrRefCount(eObj);
                Jim_SetResultFormatted(goi.interp, "error: %#s", eObj);
-               Jim_FreeNewObj(goi.interp, eObj);
+               Jim_DecrRefCount(goi.interp, eObj);
                return JIM_ERR;
        }
        return JIM_OK;