[MDEV-24807] A possibility for double free in dtor of Event_queue_element_for_exec in the case of OOM Created: 2021-02-08 Updated: 2021-04-20 Resolved: 2021-04-20 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Events |
| Affects Version/s: | 10.2, 10.3, 10.4, 10.5, 10.6 |
| Fix Version/s: | 10.2.38, 10.3.29, 10.4.19, 10.5.10 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Yauheni Akhotnikau | Assignee: | Vicențiu Ciorbaru |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | beginner-friendly | ||
| Description |
|
It seems that the handling of the OOM case in `Event_queue_element_for_exec::init` leaves the possibility for double free of memory (https://github.com/MariaDB/server/blob/786bc312b85e58857cb26a24ab6e997ba0fdfc32/sql/event_data_objects.cc#L187-L200):
If the second call to `my_strndup` returns NULL then memory allocated for `dbname.str` will be freed (at the point (1)), but `dbname.str` won't be NULL and will keep its value. Then that value will be passed to `my_free` in the destructor of `Event_queue_element_for_exec` (https://github.com/MariaDB/server/blob/786bc312b85e58857cb26a24ab6e997ba0fdfc32/sql/event_data_objects.cc#L210-L214):
and because at the point (2) the value of `dbname.str` is not null, then the call to `my_free` can lead to double free. |