Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \

patch enclosed) One call to my_error_unregister_all() would free pointers, but leave one pointer to just-freed memory still assigned. That's the bug. Subsequent calls of this function would try to follow pointers into deallocated, garbage memory and almost certainly SEGV. Now, after freeing a linked list, unset the initial pointer.

Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \
patch enclosed) One call to my_error_unregister_all() would free pointers, but leave one pointer to just-freed memory still assigned. That's the bug. Subsequent calls of this function would try to follow pointers into deallocated, garbage memory and almost certainly SEGV. Now, after freeing a linked list, unset the initial pointer.
926c530c · Chad MILLER · bfcfbbbc · 926c530c
Commit 926c530c authored Mar 17, 2009 by Chad MILLER
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 4 deletions

mysys/my_error.c mysys/my_error.c +9 -4

No files found.
--- a/mysys/my_error.c
+++ b/mysys/my_error.c
@@ -252,11 +252,16 @@ const char **my_error_unregister(int first, int last)
 void my_error_unregister_all(void)
 {
-  struct my_err_head    *list, *next;
+  struct my_err_head *cursor, *saved_next;
-  for (list= my_errmsgs_globerrs.meh_next; list; list= next)
+  for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
  {
-    next= list->meh_next;
+	/* We need this ptr, but we're about to free its container, so save it. */
-    my_free((uchar*) list, MYF(0));
+    saved_next= cursor->meh_next;
+    my_free((uchar*) cursor, MYF(0));
  }
+  my_errmsgs_globerrs.meh_next= NULL;  /* Freed in first iteration above. */
  my_errmsgs_list= &my_errmsgs_globerrs;
 }