Skip to content

M
MariaDB
Commit adeb736f authored by Thirunarayanan Balathandayuthapani's avatar Thirunarayanan Balathandayuthapani
Browse files
Options

MDEV-22903 heap-use-after-free while accessing fts cache deleted doc ids 

Problem:
=======
  fts_cache_append_deleted_doc_ids() holds the deleted_lock and tries to
access size of deleted_doc_ids. In the meantime, fts_cache_clear()
clears the sync_heap before clearing deleted_doc_ids. It leads to
invalid access of deleted_doc_ids.

Fix:
===
fts_cache_clear() should free the sync_heap after clearing
deleted_doc_ids.
parent 52ccedd6
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 6 deletions
storage/innobase/fts/fts0fts.cc
View file @ adeb736f
......@@ -1127,14 +1127,14 @@ fts_cache_clear(
index_cache->doc_stats = NULL;
}
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
cache->sync_heap->arg = NULL;
cache->total_size = 0;
mutex_enter((ib_mutex_t*) &cache->deleted_lock);
cache->deleted_doc_ids = NULL;
mutex_exit((ib_mutex_t*) &cache->deleted_lock);
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
cache->sync_heap->arg = NULL;
}
/*********************************************************************//**
......
storage/xtradb/fts/fts0fts.cc
View file @ adeb736f
......@@ -1127,14 +1127,14 @@ fts_cache_clear(
index_cache->doc_stats = NULL;
}
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
cache->sync_heap->arg = NULL;
cache->total_size = 0;
mutex_enter((ib_mutex_t*) &cache->deleted_lock);
cache->deleted_doc_ids = NULL;
mutex_exit((ib_mutex_t*) &cache->deleted_lock);
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
cache->sync_heap->arg = NULL;
}
/*********************************************************************//**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7