List:Commits« Previous MessageNext Message »
From:Chad MILLER Date:March 17 2009 7:31pm
Subject:bzr commit into mysql-5.1-bugteam branch (chad:2841) Bug#42675
View as plain text  
#At file:///home/cmiller/work/mysqlbzr/5.1-bugteam--bug42675/ based on revid:patrick.crews@stripped

 2841 Chad MILLER	2009-03-17
      Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \
      	patch enclosed)
      One call to my_error_unregister_all() would free pointers, but leave one
      pointer to just-freed memory still assigned.  That's the bug.  Subsequent
      calls of this function would try to follow pointers into deallocated, 
      garbage memory and almost certainly SEGV.
      Now, after freeing a linked list, unset the initial pointer.

=== modified file 'mysys/my_error.c'
--- a/mysys/my_error.c	2009-02-05 06:16:00 +0000
+++ b/mysys/my_error.c	2009-03-17 19:31:07 +0000
@@ -252,11 +252,16 @@ const char **my_error_unregister(int fir
 void my_error_unregister_all(void)
-  struct my_err_head    *list, *next;
-  for (list= my_errmsgs_globerrs.meh_next; list; list= next)
+  struct my_err_head *cursor, *saved_next;
+  for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
-    next= list->meh_next;
-    my_free((uchar*) list, MYF(0));
+	/* We need this ptr, but we're about to free its container, so save it. */
+    saved_next= cursor->meh_next;
+    my_free((uchar*) cursor, MYF(0));
+  my_errmsgs_globerrs.meh_next= NULL;  /* Freed in first iteration above. */
   my_errmsgs_list= &my_errmsgs_globerrs;

Attachment: [text/bzr-bundle] bzr/
bzr commit into mysql-5.1-bugteam branch (chad:2841) Bug#42675Chad MILLER17 Mar