cuberite/libevent
1
0
Fork 0
mirror of https://github.com/cuberite/libevent.git synced 2025-09-09 04:19:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

Avoid an (untriggerable so far) crash bug in bufferevent_free()

Browse Source 
We were saying
     mm_free(bufev - bufev->be_ops->mem_offset);
when we should have said
     mm_free(((char*)bufev) - bufev->be_ops->mem_offset);

In other words, if mem_offset had ever been nonzero, then instead of
backing up mem_offset bytes to find the thing we were supposed to free, we
would have backed up mem_offset*sizeof(struct bufferevent) bytes, and freed
something completely crazy.

Spotted thanks to a conversation with Jardel Weyrich
This commit is contained in:
Nick Mathewson 2010-03-13 01:04:30 -05:00
parent 274a7bd9a1
commit 0cf1431e5d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bufferevent.c
View File

@ -568,7 +568,7 @@ _bufferevent_decref_and_unlock(struct bufferevent *bufev)
EVTHREAD_LOCKTYPE_RECURSIVE);
/* Free the actual allocated memory. */
mm_free(bufev - bufev->be_ops->mem_offset);
mm_free(((char*)bufev) - bufev->be_ops->mem_offset);
/* Release the reference to underlying now that we no longer need the
* reference to it. We wait this long mainly in case our lock is