diff options
author | Joakim Tjernlund <joakim.tjernlund@transmode.se> | 2005-08-24 17:29:05 +0000 |
---|---|---|
committer | Joakim Tjernlund <joakim.tjernlund@transmode.se> | 2005-08-24 17:29:05 +0000 |
commit | 30d5d27e60802c0443bcdeb620d3ecbac90b7fc0 (patch) | |
tree | 660b8ba6869c58acc1b7e711c8ac4ae6bcd2d674 | |
parent | b1ce9e53a3e6b06267fee6d7b86ab7f5f5ba0f80 (diff) |
Frank Mehnert writes:
I use an implementation for malloc()/free() which is sensible about
using data after freed. In libdl.c, rpnt1->next->next is accessed after
rpnt1->next is freed. Attached patch fixes that problem.
-rw-r--r-- | ldso/libdl/libdl.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/ldso/libdl/libdl.c b/ldso/libdl/libdl.c index 08952094c..f8f90dfb7 100644 --- a/ldso/libdl/libdl.c +++ b/ldso/libdl/libdl.c @@ -452,7 +452,7 @@ void *dlsym(void *vhandle, const char *name) static int do_dlclose(void *vhandle, int need_fini) { - struct dyn_elf *rpnt, *rpnt1; + struct dyn_elf *rpnt, *rpnt1, *rpnt1_tmp; struct init_fini_list *runp, *tmp; ElfW(Phdr) *ppnt; struct elf_resolve *tpnt, *run_tpnt; @@ -541,8 +541,9 @@ static int do_dlclose(void *vhandle, int need_fini) for (rpnt1 = _dl_symbol_tables; rpnt1->next; rpnt1 = rpnt1->next) { if (rpnt1->next->dyn == tpnt) { _dl_if_debug_print("removing symbol_tables: %s\n", tpnt->libname); + rpnt1_tmp = rpnt1->next->next; free(rpnt1->next); - rpnt1->next = rpnt1->next->next; + rpnt1->next = rpnt1_tmp; if (rpnt1->next) rpnt1->next->prev = rpnt1; break; |