| List: | Commits | « Previous MessageNext Message » | |
| From: | Chad MILLER | Date: | March 17 2009 8:31pm |
| Subject: | bzr commit into mysql-5.1-bugteam branch (chad:2841) Bug#42675 | ||
| View as plain text | |||
#At file:///home/cmiller/work/mysqlbzr/5.1-bugteam--bug42675/ based on
revid:patrick.crews@stripped
2841 Chad MILLER 2009-03-17
Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \
patch enclosed)
One call to my_error_unregister_all() would free pointers, but leave one
pointer to just-freed memory still assigned. That's the bug. Subsequent
calls of this function would try to follow pointers into deallocated,
garbage memory and almost certainly SEGV.
Now, after freeing a linked list, unset the initial pointer.
modified:
mysys/my_error.c
=== modified file 'mysys/my_error.c'
--- a/mysys/my_error.c 2009-02-05 06:16:00 +0000
+++ b/mysys/my_error.c 2009-03-17 19:31:07 +0000
@@ -252,11 +252,16 @@ const char **my_error_unregister(int fir
void my_error_unregister_all(void)
{
- struct my_err_head *list, *next;
- for (list= my_errmsgs_globerrs.meh_next; list; list= next)
+ struct my_err_head *cursor, *saved_next;
+
+ for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
{
- next= list->meh_next;
- my_free((uchar*) list, MYF(0));
+ /* We need this ptr, but we're about to free its container, so save it. */
+ saved_next= cursor->meh_next;
+
+ my_free((uchar*) cursor, MYF(0));
}
+ my_errmsgs_globerrs.meh_next= NULL; /* Freed in first iteration above. */
+
my_errmsgs_list= &my_errmsgs_globerrs;
}
Attachment: [text/bzr-bundle] bzr/chad@mysql.com-20090317193107-cs9c9ufvv3ino37y.bundle
| Thread | ||
|---|---|---|
| • bzr commit into mysql-5.1-bugteam branch (chad:2841) Bug#42675 | Chad MILLER | 17 Mar 2009 |
© 1995-2008 MySQL AB, 2008-2009 Sun Microsystems, Inc.
Page generated in 0.050 sec. using MySQL 5.1.14-beta-log