database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-08-07 00:04:31 +03:00
Code Activity

Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \

Browse Source 
patch enclosed)
  
One call to my_error_unregister_all() would free pointers, but leave one
pointer to just-freed memory still assigned.  That's the bug.  Subsequent
calls of this function would try to follow pointers into deallocated, 
garbage memory and almost certainly SEGV.

Now, after freeing a linked list, unset the initial pointer.
This commit is contained in:
Chad MILLER
2009-03-17 15:31:07 -04:00
parent bfcfbbbc32
commit 926c530c7d
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
mysys/my_error.c
View File

@@ -252,11 +252,16 @@ const char **my_error_unregister(int first, int last)
void my_error_unregister_all(void) void my_error_unregister_all(void)
{ {
struct my_err_head *list, *next; struct my_err_head *cursor, *saved_next;
for (list= my_errmsgs_globerrs.meh_next; list; list= next)
for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
{ {
next= list->meh_next; /* We need this ptr, but we're about to free its container, so save it. */
my_free((uchar*) list, MYF(0)); saved_next= cursor->meh_next;
my_free((uchar*) cursor, MYF(0));
} }
my_errmsgs_globerrs.meh_next= NULL; /* Freed in first iteration above. */
my_errmsgs_list= &my_errmsgs_globerrs; my_errmsgs_list= &my_errmsgs_globerrs;
} }