From aadfa31cf000f74f6b16f311c1532e2c6c1a384b Mon Sep 17 00:00:00 2001 From: Sebastian Parborg Date: Fri, 30 Apr 2021 18:01:47 +0200 Subject: Fix "use after free" issue in clog Keep track of clog_refs so we can null the pointers when calling CLG_exit. Otherwise we will run into issues where the code will try to access freed data. --- intern/clog/CLG_log.h | 1 + intern/clog/clog.c | 12 ++++++++++++ 2 files changed, 13 insertions(+) (limited to 'intern') diff --git a/intern/clog/CLG_log.h b/intern/clog/CLG_log.h index 3e51e228bac..8a26eb035cf 100644 --- a/intern/clog/CLG_log.h +++ b/intern/clog/CLG_log.h @@ -118,6 +118,7 @@ typedef struct CLG_LogType { typedef struct CLG_LogRef { const char *identifier; CLG_LogType *type; + struct CLG_LogRef *next; } CLG_LogRef; void CLG_log_str(CLG_LogType *lg, diff --git a/intern/clog/clog.c b/intern/clog/clog.c index 01d1c0a1770..50a51ebe913 100644 --- a/intern/clog/clog.c +++ b/intern/clog/clog.c @@ -81,6 +81,8 @@ typedef struct CLG_IDFilter { typedef struct CLogContext { /** Single linked list of types. */ CLG_LogType *types; + /** Single linked list of references. */ + CLG_LogRef *refs; #ifdef WITH_CLOG_PTHREADS pthread_mutex_t types_lock; #endif @@ -673,6 +675,12 @@ static void CLG_ctx_free(CLogContext *ctx) MEM_freeN(item); } + while (ctx->refs != NULL) { + CLG_LogRef *item = ctx->refs; + ctx->refs = item->next; + item->type = NULL; + } + for (uint i = 0; i < 2; i++) { while (ctx->filters[i] != NULL) { CLG_IDFilter *item = ctx->filters[i]; @@ -769,6 +777,10 @@ void CLG_logref_init(CLG_LogRef *clg_ref) pthread_mutex_lock(&g_ctx->types_lock); #endif if (clg_ref->type == NULL) { + /* Add to the refs list so we can NULL the pointers to 'type' when CLG_exit() is called. */ + clg_ref->next = g_ctx->refs; + g_ctx->refs = clg_ref; + CLG_LogType *clg_ty = clg_ctx_type_find_by_name(g_ctx, clg_ref->identifier); if (clg_ty == NULL) { clg_ty = clg_ctx_type_register(g_ctx, clg_ref->identifier); -- cgit v1.2.3