git: 4bcc5a3cdc05 - main - btree/bt_seq.c: Fix two NULL pointer dereferences

Tue, 27 Jan 2026 08:47:58 -0800 

The branch main has been updated by bnovkov:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=4bcc5a3cdc05f217a8adf2f5f97a2e922663f741

commit 4bcc5a3cdc05f217a8adf2f5f97a2e922663f741
Author:     Bojan Novković <[email protected]>
AuthorDate: 2026-01-27 15:13:13 +0000
Commit:     Bojan Novković <[email protected]>
CommitDate: 2026-01-27 16:47:23 +0000

    btree/bt_seq.c: Fix two NULL pointer dereferences
    
    This change fixes two NULL pointer dereferences caused by the
    __bt_first function.
    
    The first was caused by returning 0 (i.e., RET_SUCCESS) when a key
    was not found, causing the caller to dereference an uninitalized
    or NULL pointer. The second one was caused by an if statment clobbering
    a local variable with a function call result that might be NULL.
    
    Reported by:    clang-tidy
    Sponsored by:   Klara, Inc.
    Reviewed by:    markj
    Obtained from:  https://github.com/apple-oss-distributions/libc (partially)
    Differential Revision:  https://reviews.freebsd.org/D54905
---
 lib/libc/db/btree/bt_seq.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/libc/db/btree/bt_seq.c b/lib/libc/db/btree/bt_seq.c
index 2562724faf33..fc7fa693b747 100644
--- a/lib/libc/db/btree/bt_seq.c
+++ b/lib/libc/db/btree/bt_seq.c
@@ -325,7 +325,7 @@ usecurrent:         F_CLR(c, CURS_AFTER | CURS_BEFORE);
 static int
 __bt_first(BTREE *t, const DBT *key, EPG *erval, int *exactp)
 {
-       PAGE *h;
+       PAGE *h, *hprev;
        EPG *ep, save;
        pgno_t pg;
 
@@ -338,7 +338,7 @@ __bt_first(BTREE *t, const DBT *key, EPG *erval, int 
*exactp)
         * page) and return it.
         */
        if ((ep = __bt_search(t, key, exactp)) == NULL)
-               return (0);
+               return (RET_SPECIAL);
        if (*exactp) {
                if (F_ISSET(t, B_NODUPS)) {
                        *erval = *ep;
@@ -369,14 +369,14 @@ __bt_first(BTREE *t, const DBT *key, EPG *erval, int 
*exactp)
                                        break;
                                if (h->pgno != save.page->pgno)
                                        mpool_put(t->bt_mp, h, 0);
-                               if ((h = mpool_get(t->bt_mp,
+                               if ((hprev = mpool_get(t->bt_mp,
                                    h->prevpg, 0)) == NULL) {
                                        if (h->pgno == save.page->pgno)
                                                mpool_put(t->bt_mp,
                                                    save.page, 0);
                                        return (RET_ERROR);
                                }
-                               ep->page = h;
+                               ep->page = h = hprev;
                                ep->index = NEXTINDEX(h);
                        }
                        --ep->index;

Reply via email to