Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \

patch enclosed) One call to my_error_unregister_all() would free pointers, but leave one pointer to just-freed memory still assigned. That's the bug. Subsequent calls of this function would try to follow pointers into deallocated, garbage memory and almost certainly SEGV. Now, after freeing a linked list, unset the initial pointer.
2025-08-01 03:47:19 +03:00 · 2009-03-17 15:31:07 -04:00
parent bfcfbbbc32
commit 926c530c7d
1 changed files with 9 additions and 4 deletions
--- a/mysys/my_error.c
+++ b/mysys/my_error.c
@ -252,11 +252,16 @@ const char **my_error_unregister(int first, int last)

 void my_error_unregister_all(void)
 {
-  struct my_err_head    *list, *next;
-  for (list= my_errmsgs_globerrs.meh_next; list; list= next)
+  struct my_err_head *cursor, *saved_next;
+
+  for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
  {
-    next= list->meh_next;
-    my_free((uchar*) list, MYF(0));
+	/* We need this ptr, but we're about to free its container, so save it. */
+    saved_next= cursor->meh_next;
+
+    my_free((uchar*) cursor, MYF(0));
  }
+  my_errmsgs_globerrs.meh_next= NULL;  /* Freed in first iteration above. */
+
  my_errmsgs_list= &my_errmsgs_globerrs;
 }