Fix "use after free" issue in clog

Keep track of clog_refs so we can null the pointers when calling
CLG_exit. Otherwise we will run into issues where the code will try to
access freed data.

2 files changed, 13 insertions, 0 deletions

diff --git a/intern/clog/CLG_log.h b/intern/clog/CLG_log.h
index 3e51e228bac..8a26eb035cf 100644
--- a/intern/clog/CLG_log.h
+++ b/intern/clog/CLG_log.h
@@ -118,6 +118,7 @@ typedef struct CLG_LogType {
 typedef struct CLG_LogRef {
   const char *identifier;
   CLG_LogType *type;
+  struct CLG_LogRef *next;
 } CLG_LogRef;
 
 void CLG_log_str(CLG_LogType *lg,
diff --git a/intern/clog/clog.c b/intern/clog/clog.c
index 01d1c0a1770..50a51ebe913 100644
--- a/intern/clog/clog.c
+++ b/intern/clog/clog.c
@@ -81,6 +81,8 @@ typedef struct CLG_IDFilter {
 typedef struct CLogContext {
   /** Single linked list of types.  */
   CLG_LogType *types;
+  /** Single linked list of references.  */
+  CLG_LogRef *refs;
 #ifdef WITH_CLOG_PTHREADS
   pthread_mutex_t types_lock;
 #endif
@@ -673,6 +675,12 @@ static void CLG_ctx_free(CLogContext *ctx)
     MEM_freeN(item);
   }
 
+  while (ctx->refs != NULL) {
+    CLG_LogRef *item = ctx->refs;
+    ctx->refs = item->next;
+    item->type = NULL;
+  }
+
   for (uint i = 0; i < 2; i++) {
     while (ctx->filters[i] != NULL) {
       CLG_IDFilter *item = ctx->filters[i];
@@ -769,6 +777,10 @@ void CLG_logref_init(CLG_LogRef *clg_ref)
   pthread_mutex_lock(&g_ctx->types_lock);
 #endif
   if (clg_ref->type == NULL) {
+    /* Add to the refs list so we can NULL the pointers to 'type' when CLG_exit() is called. */
+    clg_ref->next = g_ctx->refs;
+    g_ctx->refs = clg_ref;
+
     CLG_LogType *clg_ty = clg_ctx_type_find_by_name(g_ctx, clg_ref->identifier);
     if (clg_ty == NULL) {
       clg_ty = clg_ctx_type_register(g_ctx, clg_ref->identifier);