$ fossil new foo.fossil
...
$ fossil ticket -R foo.fossil add title test
ticket add succeeded for UID a0e7afe56ceaf2e28dfa79bc1db34aa2a767e7c1
$ fossil ticket -R foo.fossil change a0e7afe56 comment 'foo' --quote
ticket set succeeded for UID a0e7afe56ceaf2e28dfa79bc1db34aa2a767e7c1
$ fossil ticket -R foo.fossil change a0e7afe56 +comment 'foo' --quote
segmentation fault

mistachkin added on 2012-08-08 03:47:31 UTC:
Reading the code, I'm somewhat confused about the proposed fix. Perhaps it be something like this instead, given the nature of the other if block enclosed with if( tktEncoding == tktFossilize )?

Index: src/tkt.c
==================================================================
--- src/tkt.c
+++ src/tkt.c
@@ -1167,11 +1167,11 @@
         }else{
           blob_appendf(&tktchng, "J%s%s %#F\n", zPfx,
                        azField[i], strlen(zValue), zValue);
         }
         if( tktEncoding == tktFossilize ){
-          free(azValue[i]);
+          free(zFValue);
         }
       }
       blob_appendf(&tktchng, "K %s\n", zTktUuid);
       blob_appendf(&tktchng, "U %F\n", zUser);
       md5sum_blob(&tktchng, &cksum);

rmax added on 2012-08-08 11:18:20 UTC:
Indeed, the distinction whether it is azAppend[i] or azValue[i] that needs to be freed is already being made two if blocks above, so we don't need to repeat it here and can just free zValue.

drh added on 2012-08-08 12:35:16 UTC:
Nothing needs to be freed here. Remember that an instance of Fossil runs a single command the exits. We don't need to worry about leaking a few bytes of memory associated with a ticket field. The OS will clean it up for us.

The simplest and safest fix is to simply omit the free() call.

rmax added on 2012-08-08 12:52:38 UTC:
Yes, [0bc2a94104] fixes it.