From 5db6fb5f52a316c2aef150fdb9ce2de72a9af8d9 Mon Sep 17 00:00:00 2001 From: Chad MILLER Date: Tue, 17 Mar 2009 15:31:07 -0400 Subject: Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \ patch enclosed) One call to my_error_unregister_all() would free pointers, but leave one pointer to just-freed memory still assigned. That's the bug. Subsequent calls of this function would try to follow pointers into deallocated, garbage memory and almost certainly SEGV. Now, after freeing a linked list, unset the initial pointer. --- mysys/my_error.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'mysys/my_error.c') diff --git a/mysys/my_error.c b/mysys/my_error.c index 07656dda979..06f2ef6ba0f 100644 --- a/mysys/my_error.c +++ b/mysys/my_error.c @@ -252,11 +252,16 @@ const char **my_error_unregister(int first, int last) void my_error_unregister_all(void) { - struct my_err_head *list, *next; - for (list= my_errmsgs_globerrs.meh_next; list; list= next) + struct my_err_head *cursor, *saved_next; + + for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next) { - next= list->meh_next; - my_free((uchar*) list, MYF(0)); + /* We need this ptr, but we're about to free its container, so save it. */ + saved_next= cursor->meh_next; + + my_free((uchar*) cursor, MYF(0)); } + my_errmsgs_globerrs.meh_next= NULL; /* Freed in first iteration above. */ + my_errmsgs_list= &my_errmsgs_globerrs; } -- cgit v1.2.1 From e26033daf9467fe0e984581998cd63ce910fc9e2 Mon Sep 17 00:00:00 2001 From: Chad MILLER Date: Tue, 17 Mar 2009 15:43:00 -0400 Subject: Fix indentation. tab -> spaces --- mysys/my_error.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'mysys/my_error.c') diff --git a/mysys/my_error.c b/mysys/my_error.c index 06f2ef6ba0f..2cf704d0089 100644 --- a/mysys/my_error.c +++ b/mysys/my_error.c @@ -256,7 +256,7 @@ void my_error_unregister_all(void) for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next) { - /* We need this ptr, but we're about to free its container, so save it. */ + /* We need this ptr, but we're about to free its container, so save it. */ saved_next= cursor->meh_next; my_free((uchar*) cursor, MYF(0)); -- cgit v1.2.1