diff options
author | Chad MILLER <chad@mysql.com> | 2009-03-17 15:31:07 -0400 |
---|---|---|
committer | Chad MILLER <chad@mysql.com> | 2009-03-17 15:31:07 -0400 |
commit | 95618bb3f3c2dd8c9f0f760ef36e638096166138 (patch) | |
tree | 18a4f890bbe4f38dea40132f86614397317f5f63 /mysys | |
parent | 16d13fe521fa6a7f18af53bca44a80b45be58471 (diff) | |
download | mariadb-git-95618bb3f3c2dd8c9f0f760ef36e638096166138.tar.gz |
Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \
patch enclosed)
One call to my_error_unregister_all() would free pointers, but leave one
pointer to just-freed memory still assigned. That's the bug. Subsequent
calls of this function would try to follow pointers into deallocated,
garbage memory and almost certainly SEGV.
Now, after freeing a linked list, unset the initial pointer.
Diffstat (limited to 'mysys')
-rw-r--r-- | mysys/my_error.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/mysys/my_error.c b/mysys/my_error.c index 07656dda979..06f2ef6ba0f 100644 --- a/mysys/my_error.c +++ b/mysys/my_error.c @@ -252,11 +252,16 @@ const char **my_error_unregister(int first, int last) void my_error_unregister_all(void) { - struct my_err_head *list, *next; - for (list= my_errmsgs_globerrs.meh_next; list; list= next) + struct my_err_head *cursor, *saved_next; + + for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next) { - next= list->meh_next; - my_free((uchar*) list, MYF(0)); + /* We need this ptr, but we're about to free its container, so save it. */ + saved_next= cursor->meh_next; + + my_free((uchar*) cursor, MYF(0)); } + my_errmsgs_globerrs.meh_next= NULL; /* Freed in first iteration above. */ + my_errmsgs_list= &my_errmsgs_globerrs; } |