diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2022-01-29 13:42:38 +0100 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2022-01-29 13:42:38 +0100 |
| commit | 8afcda9309832f44a9ba27aaf16d08a0357c0880 (patch) | |
| tree | 42c3475ae828eb170f5d2d62a30bc67f997ff56c /storage/connect | |
| parent | 5e5feb84b6211f6fe9bbed767512b7b944f59ec9 (diff) | |
| download | mariadb-git-8afcda9309832f44a9ba27aaf16d08a0357c0880.tar.gz | |
ASAN/valgrind errors in connect.misc test
accessing freed memory.
Before XMLCOL::WriteColumn() Tdbp->Clist gets assigned
a nodelist in
Clist = RowNode->SelectNodes(g, Colname, Clist);
which is RowNode->Doc->Xop->nodesetval.
In XMLCOL::WriteColumn()
ValNode = ColNode->SelectSingleNode(g, Xname, Vxnp);
calls LIBXMLDOC::GetNodeList() again, which frees the previous
XPath object Xop and replaces it with a new one.
In this case RowNode->Doc == ColNode->Doc, so Clist->Listp
points to a freed memory now.
Diffstat (limited to 'storage/connect')
| -rw-r--r-- | storage/connect/tabxml.cpp | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/storage/connect/tabxml.cpp b/storage/connect/tabxml.cpp index 7357d2373c8..f17f5278c96 100644 --- a/storage/connect/tabxml.cpp +++ b/storage/connect/tabxml.cpp @@ -1803,6 +1803,9 @@ void XMLCOL::WriteColumn(PGLOBAL g) else if (Tdbp->Clist) ColNode = NULL; + // refresh CList in case its Listp was freed in SelectSingleNode above + if (Tdbp->Clist) + Tdbp->RowNode->SelectNodes(g, Tdbp->Colname, Tdbp->Clist); } // endfor i /*********************************************************************/ |