Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5.3
-
None
-
Linux
Description
In the file(MariaDB/server/storage/rocksdb/rocksdb/db/db_impl/db_impl_open.cc), there is a possible use-after-free bug in the function RecoverLogFiles. The cfd is freed at line 949 and is used at 953 and 956.
cfd->UnrefAndTryDelete(); //949
auto iter = version_edits.find(cfd->GetID());//953
status = WriteLevel0TableForRecovery(job_id, cfd, cfd->mem(), edit);//956
The UnrefAndTryDelete function is located at line 606 in MariaDB/server/storage/rocksdb/rocksdb/db/trim_history_scheduler.cc.