Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
10.2, 10.3, 10.4, 10.5, 10.6
Description
It seems that the handling of the OOM case in `Event_queue_element_for_exec::init` leaves the possibility for double free of memory (https://github.com/MariaDB/server/blob/786bc312b85e58857cb26a24ab6e997ba0fdfc32/sql/event_data_objects.cc#L187-L200):
bool
|
Event_queue_element_for_exec::init(const LEX_CSTRING &db, const LEX_CSTRING &n) |
{
|
if (!(dbname.str= my_strndup(key_memory_Event_queue_element_for_exec_names, |
db.str, dbname.length= db.length, MYF(MY_WME))))
|
return TRUE; |
if (!(name.str= my_strndup(key_memory_Event_queue_element_for_exec_names, |
n.str, name.length= n.length, MYF(MY_WME))))
|
{
|
my_free(const_cast<char*>(dbname.str)); // (1) dbname.str is not NULL here |
return TRUE; |
}
|
return FALSE; |
}
|
If the second call to `my_strndup` returns NULL then memory allocated for `dbname.str` will be freed (at the point (1)), but `dbname.str` won't be NULL and will keep its value.
Then that value will be passed to `my_free` in the destructor of `Event_queue_element_for_exec` (https://github.com/MariaDB/server/blob/786bc312b85e58857cb26a24ab6e997ba0fdfc32/sql/event_data_objects.cc#L210-L214):
Event_queue_element_for_exec::~Event_queue_element_for_exec()
|
{
|
my_free(const_cast<char*>(dbname.str)); // (2) |
my_free(const_cast<char*>(name.str)); |
}
|
and because at the point (2) the value of `dbname.str` is not null, then the call to `my_free` can lead to double free.