public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed
From: Florian Weimer <fw@sourceware.org>
To: glibc-cvs@sourceware.org
Subject: [glibc] gconv: Check reference count in __gconv_release_cache [BZ #24677]
Date: Thu, 25 Jul 2019 22:26:00 -0000	[thread overview]
Message-ID: <20190725222607.107217.qmail@sourceware.org> (raw)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=50ce3eae5ba304650459d4441d7d246a7cefc26f

commit 50ce3eae5ba304650459d4441d7d246a7cefc26f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Jul 18 17:27:24 2019 +0200

    gconv: Check reference count in __gconv_release_cache  [BZ #24677]
    
    This fixes a regression introduced in commit
    7e740ab2e7be7d83b75513aa406e0b10875f7f9c ("libio: Fix gconv-related
    memory leak [BZ #24583]").
    
    __gconv_release_cache is only ever called with heap-allocated
    arrays which contain at least one member.  The statically allocated
    ASCII steps are filtered out by __wcsmbs_close_conv.

Diff:
---
 ChangeLog           | 6 ++++++
 iconv/gconv_cache.c | 9 ++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 31a6b38..dbdb85d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-07-25  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #24677]
+	* iconv/gconv_cache.c (__gconv_release_cache): Check reference
+	counter before freeing array.
+
 2019-07-24  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #24603]
diff --git a/iconv/gconv_cache.c b/iconv/gconv_cache.c
index 9a456bf..4db7287 100644
--- a/iconv/gconv_cache.c
+++ b/iconv/gconv_cache.c
@@ -446,9 +446,12 @@ __gconv_lookup_cache (const char *toset, const char *fromset,
 void
 __gconv_release_cache (struct __gconv_step *steps, size_t nsteps)
 {
-  if (gconv_cache != NULL)
-    /* The only thing we have to deallocate is the record with the
-       steps.  */
+  /* The only thing we have to deallocate is the record with the
+     steps.  But do not do this if the reference counter is still
+     positive.  This can happen if the steps array was cloned by
+     __wcsmbs_clone_conv.  (The array elements have separate __counter
+     fields, but they are only out of sync temporarily.)  */
+  if (gconv_cache != NULL && steps->__counter == 0)
     free (steps);
 }


                 reply	other threads:[~2019-07-25 22:26 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190725222607.107217.qmail@sourceware.org \
    --to=fw@sourceware.org \
    --cc=glibc-cvs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).