From de1b9925650bb6e079ece924ba1b8d2f2124c731 Mon Sep 17 00:00:00 2001
From: Daniel Black <daniel@mariadb.org>
Date: Fri, 20 May 2022 09:31:18 +1000
Subject: MDEV-28597: double free in maria_open()

disk_cache is freed error handling functions.

Because we've freed this earlier in maria_open,
disk_cache is assigning to 0 (like the 10.3+ commit
 c127a1ba1450) to prevents the double free happing
in the error path that can be triggered later in
this function.
---
 storage/maria/ma_open.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/storage/maria/ma_open.c b/storage/maria/ma_open.c
index 87bded7ed50..68e07526601 100644
--- a/storage/maria/ma_open.c
+++ b/storage/maria/ma_open.c
@@ -900,6 +900,7 @@ MARIA_HA *maria_open(const char *name, int mode, uint open_flags)
 					(keys ? MARIA_INDEX_BLOCK_MARGIN *
 					 share->block_size * keys : 0));
     my_free(disk_cache);
+    disk_cache= 0;
     _ma_setup_functions(share);
     max_data_file_length= share->base.max_data_file_length;
     if ((*share->once_init)(share, info.dfile.file))
-- 
cgit v1.2.1