diff options
author | Thirunarayanan Balathandayuthapani <thiru@mariadb.com> | 2020-07-23 16:34:38 +0530 |
---|---|---|
committer | Thirunarayanan Balathandayuthapani <thiru@mariadb.com> | 2020-07-23 16:34:38 +0530 |
commit | adeb736f9aa5322e58612cdf1d57826067d3bdb4 (patch) | |
tree | 4972e1ced5027c3d76e876b81acb15cce136a2be | |
parent | 52ccedd6dd50e8e5cd8ca9b1be84bc5e87c20950 (diff) | |
download | mariadb-git-adeb736f9aa5322e58612cdf1d57826067d3bdb4.tar.gz |
MDEV-22903 heap-use-after-free while accessing fts cache deleted doc ids
Problem:
=======
fts_cache_append_deleted_doc_ids() holds the deleted_lock and tries to
access size of deleted_doc_ids. In the meantime, fts_cache_clear()
clears the sync_heap before clearing deleted_doc_ids. It leads to
invalid access of deleted_doc_ids.
Fix:
===
fts_cache_clear() should free the sync_heap after clearing
deleted_doc_ids.
-rw-r--r-- | storage/innobase/fts/fts0fts.cc | 6 | ||||
-rw-r--r-- | storage/xtradb/fts/fts0fts.cc | 6 |
2 files changed, 6 insertions, 6 deletions
diff --git a/storage/innobase/fts/fts0fts.cc b/storage/innobase/fts/fts0fts.cc index 54cf2f11884..2a1341c4cf0 100644 --- a/storage/innobase/fts/fts0fts.cc +++ b/storage/innobase/fts/fts0fts.cc @@ -1127,14 +1127,14 @@ fts_cache_clear( index_cache->doc_stats = NULL; } - mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg)); - cache->sync_heap->arg = NULL; - cache->total_size = 0; mutex_enter((ib_mutex_t*) &cache->deleted_lock); cache->deleted_doc_ids = NULL; mutex_exit((ib_mutex_t*) &cache->deleted_lock); + + mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg)); + cache->sync_heap->arg = NULL; } /*********************************************************************//** diff --git a/storage/xtradb/fts/fts0fts.cc b/storage/xtradb/fts/fts0fts.cc index 54cf2f11884..2a1341c4cf0 100644 --- a/storage/xtradb/fts/fts0fts.cc +++ b/storage/xtradb/fts/fts0fts.cc @@ -1127,14 +1127,14 @@ fts_cache_clear( index_cache->doc_stats = NULL; } - mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg)); - cache->sync_heap->arg = NULL; - cache->total_size = 0; mutex_enter((ib_mutex_t*) &cache->deleted_lock); cache->deleted_doc_ids = NULL; mutex_exit((ib_mutex_t*) &cache->deleted_lock); + + mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg)); + cache->sync_heap->arg = NULL; } /*********************************************************************//** |