#At file:///home/cmiller/work/mysqlbzr/5.1-bugteam--bug42675/ based on revid:patrick.crews@stripped
2841 Chad MILLER 2009-03-17
Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \
One call to my_error_unregister_all() would free pointers, but leave one
pointer to just-freed memory still assigned. That's the bug. Subsequent
calls of this function would try to follow pointers into deallocated,
garbage memory and almost certainly SEGV.
Now, after freeing a linked list, unset the initial pointer.
=== modified file 'mysys/my_error.c'
--- a/mysys/my_error.c 2009-02-05 06:16:00 +0000
+++ b/mysys/my_error.c 2009-03-17 19:31:07 +0000
@@ -252,11 +252,16 @@ const char **my_error_unregister(int fir
- struct my_err_head *list, *next;
- for (list= my_errmsgs_globerrs.meh_next; list; list= next)
+ struct my_err_head *cursor, *saved_next;
+ for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
- next= list->meh_next;
- my_free((uchar*) list, MYF(0));
+ /* We need this ptr, but we're about to free its container, so save it. */
+ saved_next= cursor->meh_next;
+ my_free((uchar*) cursor, MYF(0));
+ my_errmsgs_globerrs.meh_next= NULL; /* Freed in first iteration above. */
Attachment: [text/bzr-bundle] firstname.lastname@example.org
|• bzr commit into mysql-5.1-bugteam branch (chad:2841) Bug#42675||Chad MILLER||17 Mar|