Merge r328355 into 0.9.x.

Original log message:

* memory/unix/apr_pools.c (pool_clear_debug): Scribble over blocks
with a poison byte before freeing them to help highlight
use-after-free bugs.


git-svn-id: http://svn.apache.org/repos/asf/apr/apr/branches/0.9.x@372609 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 9 insertions, 2 deletions

diff --git a/memory/unix/apr_pools.c b/memory/unix/apr_pools.c
index d669d93f2..49e2947ef 100644
--- a/memory/unix/apr_pools.c
+++ b/memory/unix/apr_pools.c
@@ -1346,6 +1346,8 @@ APR_DECLARE(void *) apr_pcalloc_debug(apr_pool_t *pool, apr_size_t size,
  * Pool creation/destruction (debug)
  */
 
+#define POOL_POISON_BYTE 'A'
+
 static void pool_clear_debug(apr_pool_t *pool, const char *file_line)
 {
     debug_node_t *node;
@@ -1368,13 +1370,18 @@ static void pool_clear_debug(apr_pool_t *pool, const char *file_line)
     /* Clear the user data. */
     pool->user_data = NULL;
 
-    /* Free the blocks */
+    /* Free the blocks, scribbling over them first to help highlight
+     * use-after-free issues. */
     while ((node = pool->nodes) != NULL) {
         pool->nodes = node->next;
 
-        for (index = 0; index < node->index; index++)
+        for (index = 0; index < node->index; index++) {
+            memset(node->beginp[index], POOL_POISON_BYTE,
+                   node->endp[index] - node->beginp[index]);
             free(node->beginp[index]);
+        }
 
+        memset(node, POOL_POISON_BYTE, SIZEOF_DEBUG_NODE_T);
         free(node);
     }