I found there is use_after_free bug in the pat_ref_delete_by_id.
diff --git a/haproxy/src/pattern.c b/haproxy/src/pattern.c
index 4bd6924..0bd35a7 100644
--- a/haproxy/src/pattern.c
+++ b/haproxy/src/pattern.c
@@ -1573,14 +1573,14 @@ int pat_ref_delete_by_id(struct pat_ref *ref,
struct pat_ref_elt *refelt)
/* delete pattern from reference */
list_for_each_entry_safe(elt, safe, &ref->head, list) {
if (elt == refelt) {
+ list_for_each_entry(expr, &ref->pat, list)
+ pattern_delete(expr, elt);
+
list_del(&elt->list);
haproxy_free(elt->sample);
haproxy_free(elt->pattern);
haproxy_free(elt);
- list_for_each_entry(expr, &ref->pat, list)
- pattern_delete(expr, elt);
-
return 1;
}
}
