Checkout
stsp
committed
on 12 Apr
Fix memory lifetime problem in a libsvn_wc error code path.

* subversion/libsvn_wc/wc_db_update_move.c
(suitable_for_move): Calling svn_s… Show more
Fix memory lifetime problem in a libsvn_wc error code path.

* subversion/libsvn_wc/wc_db_update_move.c

 (suitable_for_move): Calling svn_sqlite__column_text() with a NULL result

  pool twice means the result of the first call becomes invalid. Store the

  child_relpath variable in a pool. It is passed to path_for_error_message()

  later, after another call to svn_sqlite__column_text() with a NULL result

  pool has already occurred.

Crash observed on OpenBSD:

#0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125

#1  0x00000c38d5de6db7 in svn_dirent_join (

   base=0xc38dfe1ef00 "/home/stsp/svn/svn-1.12.0/subversion/tests/libsvn_wc/svn-test-work/working-copies/move_update_subtree",

   component=0xc390ca94fc8 '\337' <repeats 55 times>, <incomplete sequence \337><error: Cannot access memory at address 0xc390ca95000>, pool=0xc38eeceff00)

   at subversion/libsvn_subr/dirent_uri.c:1007

#2  0x00000c38f686a815 in path_for_error_message (wcroot=0xc387ee3d300,

   local_relpath=0xc390ca94fc8 '\337' <repeats 55 times>, <incomplete sequence \337><error: Cannot access memory at address 0xc390ca95000>,

   result_pool=0xc38eeceff00) at subversion/libsvn_wc/wc_db_update_move.c:167

#3  0x00000c38f686ad1f in suitable_for_move (wcroot=0xc387ee3d300,

   local_relpath=0xc387efe4ce0 "A/B", scratch_pool=0xc38eeceff00)

   at subversion/libsvn_wc/wc_db_update_move.c:2192

Show less