Hi In the end of mp_input_parse_cmd the following code snippet may be found: for( ; i < MP_CMD_MAX_ARGS && cmd_def->args[i].type != -1 ; i++) { memcpy(&cmd->args[i],&cmd_def->args[i],sizeof(mp_cmd_arg_t)); if(cmd_def->args[i].type == MP_CMD_ARG_STRING && cmd_def->args[i].v.s != NULL) cmd->args[i].v.s = strdup(cmd_def->args[i].v.s); } The bug is that the cmd_def->args[i] struct isn't copied when cmd_def->args[i].type is -1. This results in a bug in mp_cmd_free if one of the cmd->args[n].type is MP_CMD_ARG_STRING where i <= n < MP_CMD_MAX_ARGS. The attached patch fixes this. Btw In mp_input_parse_cmd errno is set to 0 and then atoi and atof is used. After the calls to these functions errno is used to check if any error occured. Quote from atoi(3): The atoi() function converts the initial portion of the string pointed to by nptr to int. The behaviour is the same as strtol(nptr, (char **)NULL, 10); except that atoi() does not detect errors. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Same thing with atof. So the Right Thing To Do is to use strtol and strtod instead. / Fredrik Kuivinen