svn commit: r1857367 - /subversion/trunk/subversion/libsvn_wc/wc_db_update_move.c

Fri, 12 Apr 2019 00:04:31 -0700 

Author: stsp
Date: Fri Apr 12 07:04:15 2019
New Revision: 1857367

URL: http://svn.apache.org/viewvc?rev=1857367&view=rev
Log:
Fix memory lifetime problem in a libsvn_wc error code path.

* subversion/libsvn_wc/wc_db_update_move.c
  (suitable_for_move): Calling svn_sqlite__column_text() with a NULL result
   pool twice means the result of the first call becomes invalid. Store the
   child_relpath variable in a pool. It is passed to path_for_error_message()
   later, after another call to svn_sqlite__column_text() with a NULL result
   pool has already occurred.

Crash observed on OpenBSD:
#0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
#1  0x00000c38d5de6db7 in svn_dirent_join (
    base=0xc38dfe1ef00 
"/home/stsp/svn/svn-1.12.0/subversion/tests/libsvn_wc/svn-test-work/working-copies/move_update_subtree",
 
    component=0xc390ca94fc8 '\337' <repeats 55 times>, <incomplete sequence 
\337><error: Cannot access memory at address 0xc390ca95000>, pool=0xc38eeceff00)
    at subversion/libsvn_subr/dirent_uri.c:1007
#2  0x00000c38f686a815 in path_for_error_message (wcroot=0xc387ee3d300, 
    local_relpath=0xc390ca94fc8 '\337' <repeats 55 times>, <incomplete sequence 
\337><error: Cannot access memory at address 0xc390ca95000>, 
    result_pool=0xc38eeceff00) at subversion/libsvn_wc/wc_db_update_move.c:167
#3  0x00000c38f686ad1f in suitable_for_move (wcroot=0xc387ee3d300, 
    local_relpath=0xc387efe4ce0 "A/B", scratch_pool=0xc38eeceff00)
    at subversion/libsvn_wc/wc_db_update_move.c:2192

Modified:
    subversion/trunk/subversion/libsvn_wc/wc_db_update_move.c

Modified: subversion/trunk/subversion/libsvn_wc/wc_db_update_move.c
URL: 
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_wc/wc_db_update_move.c?rev=1857367&r1=1857366&r2=1857367&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_wc/wc_db_update_move.c (original)
+++ subversion/trunk/subversion/libsvn_wc/wc_db_update_move.c Fri Apr 12 
07:04:15 2019
@@ -2175,11 +2175,12 @@ suitable_for_move(svn_wc__db_wcroot_t *w
   while (have_row)
     {
       svn_revnum_t node_revision = svn_sqlite__column_revnum(stmt, 2);
-      const char *child_relpath = svn_sqlite__column_text(stmt, 0, NULL);
+      const char *child_relpath;
       const char *relpath;
 
       svn_pool_clear(iterpool);
 
+      child_relpath = svn_sqlite__column_text(stmt, 0, iterpool);
       relpath = svn_relpath_skip_ancestor(local_relpath, child_relpath);
       relpath = svn_relpath_join(repos_relpath, relpath, iterpool);

Reply via email to