Commit 95618bb3 authored by Chad MILLER's avatar Chad MILLER

Bug#42675: Dangling pointer leads to a client crash (mysys/my_error.c \

	patch enclosed)
  
One call to my_error_unregister_all() would free pointers, but leave one
pointer to just-freed memory still assigned.  That's the bug.  Subsequent
calls of this function would try to follow pointers into deallocated, 
garbage memory and almost certainly SEGV.

Now, after freeing a linked list, unset the initial pointer.
parent 16d13fe5
......@@ -252,11 +252,16 @@ const char **my_error_unregister(int first, int last)
void my_error_unregister_all(void)
{
struct my_err_head *list, *next;
for (list= my_errmsgs_globerrs.meh_next; list; list= next)
struct my_err_head *cursor, *saved_next;
for (cursor= my_errmsgs_globerrs.meh_next; cursor != NULL; cursor= saved_next)
{
next= list->meh_next;
my_free((uchar*) list, MYF(0));
/* We need this ptr, but we're about to free its container, so save it. */
saved_next= cursor->meh_next;
my_free((uchar*) cursor, MYF(0));
}
my_errmsgs_globerrs.meh_next= NULL; /* Freed in first iteration above. */
my_errmsgs_list= &my_errmsgs_globerrs;
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment