summaryrefslogtreecommitdiff
path: root/mysys
diff options
context:
space:
mode:
authorChad MILLER <chad@mysql.com>2009-03-17 15:31:07 -0400
committerChad MILLER <chad@mysql.com>2009-03-17 15:31:07 -0400
commit95618bb3f3c2dd8c9f0f760ef36e638096166138 (patch)
tree18a4f890bbe4f38dea40132f86614397317f5f63 /mysys
parent16d13fe521fa6a7f18af53bca44a80b45be58471 (diff)
downloadmariadb-git-95618bb3f3c2dd8c9f0f760ef36e638096166138.tar.gz
Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \
patch enclosed) One call to my_error_unregister_all() would free pointers, but leave one pointer to just-freed memory still assigned. That's the bug. Subsequent calls of this function would try to follow pointers into deallocated, garbage memory and almost certainly SEGV. Now, after freeing a linked list, unset the initial pointer.
Diffstat (limited to 'mysys')
-rw-r--r--mysys/my_error.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/mysys/my_error.c b/mysys/my_error.c
index 07656dda979..06f2ef6ba0f 100644
--- a/mysys/my_error.c
+++ b/mysys/my_error.c
@@ -252,11 +252,16 @@ const char **my_error_unregister(int first, int last)
void my_error_unregister_all(void)
{
- struct my_err_head *list, *next;
- for (list= my_errmsgs_globerrs.meh_next; list; list= next)
+ struct my_err_head *cursor, *saved_next;
+
+ for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
{
- next= list->meh_next;
- my_free((uchar*) list, MYF(0));
+ /* We need this ptr, but we're about to free its container, so save it. */
+ saved_next= cursor->meh_next;
+
+ my_free((uchar*) cursor, MYF(0));
}
+ my_errmsgs_globerrs.meh_next= NULL; /* Freed in first iteration above. */
+
my_errmsgs_list= &my_errmsgs_globerrs;
}