From 88d8c4b6f2da16263804c7819ebfa1257b32cb11 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@cs.stanford.edu>
Date: Mon, 20 May 2013 22:54:31 -0700
Subject: [PATCH] FLIP: Fix use-after-free and double frees with temporary
 transformations.

I originally thought this was a bug in FLIP, but it turned out that in
fact we just hadn't ever really tested
proc_make_temporary_transformations_permanent() properly with actual
transformations, and especially with adding a transformation after calling
proc_make_temporary_transformations_permanent().

The modified test should avoid regression for the bug.

Bug #38832.
---
 src/data/dataset.c           |  2 ++
 src/data/transformations.c   |  1 +
 tests/language/stats/flip.at | 17 +++++++++++------
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/data/dataset.c b/src/data/dataset.c
index 9c3fe8cfec..7448bd38ef 100644
--- a/src/data/dataset.c
+++ b/src/data/dataset.c
@@ -759,6 +759,8 @@ proc_make_temporary_transformations_permanent (struct dataset *ds)
       trns_chain_splice (ds->permanent_trns_chain, ds->temporary_trns_chain);
       ds->temporary_trns_chain = NULL;
 
+      ds->cur_trns_chain = ds->permanent_trns_chain;
+
       dict_destroy (ds->permanent_dict);
       ds->permanent_dict = NULL;
 
diff --git a/src/data/transformations.c b/src/data/transformations.c
index 7f8672805f..209d13f82b 100644
--- a/src/data/transformations.c
+++ b/src/data/transformations.c
@@ -166,6 +166,7 @@ trns_chain_splice (struct trns_chain *dst, struct trns_chain *src)
     }
   dst->trns_cnt += src->trns_cnt;
 
+  src->trns_cnt = 0;
   trns_chain_destroy (src);
 }
 
diff --git a/tests/language/stats/flip.at b/tests/language/stats/flip.at
index 508c9d91be..2b7e234b42 100644
--- a/tests/language/stats/flip.at
+++ b/tests/language/stats/flip.at
@@ -11,6 +11,8 @@ x1112131415
 y1617181920
 z2122232425
 end data.
+temporary.
+compute e = a.
 flip newnames=n.
 list.
 flip.
@@ -25,20 +27,23 @@ x,11,12,13,14
 y,16,17,18,19
 z,21,22,23,24
 
+flip.sps:12: warning: FLIP: FLIP ignores TEMPORARY.  Temporary transformations will be made permanent.
+
 Table: Data List
 CASE_LBL,v,w,x,y,z
 a       ,1.00,6.00,11.00,16.00,21.00
 b       ,2.00,7.00,12.00,17.00,22.00
 c       ,3.00,8.00,13.00,18.00,23.00
 d       ,4.00,9.00,14.00,19.00,24.00
+e       ,1.00,6.00,11.00,16.00,21.00
 
 Table: Data List
-CASE_LBL,a,b,c,d
-v       ,1.00,2.00,3.00,4.00
-w       ,6.00,7.00,8.00,9.00
-x       ,11.00,12.00,13.00,14.00
-y       ,16.00,17.00,18.00,19.00
-z       ,21.00,22.00,23.00,24.00
+CASE_LBL,a,b,c,d,e
+v       ,1.00,2.00,3.00,4.00,1.00
+w       ,6.00,7.00,8.00,9.00,6.00
+x       ,11.00,12.00,13.00,14.00,11.00
+y       ,16.00,17.00,18.00,19.00,16.00
+z       ,21.00,22.00,23.00,24.00,21.00
 ])
 AT_CLEANUP
 
-- 
2.30.2