diff options
author | Andreas Schwab <schwab@redhat.com> | 2012-06-22 11:10:31 -0700 |
---|---|---|
committer | Carlos O'Donell <carlos_odonell@mentor.com> | 2012-06-22 11:10:31 -0700 |
commit | 0479b305c5b7c8e3fa8e3002982cf8cac02b842e (patch) | |
tree | f72a6cb6c122c086d6e7b5989e9d746c0c3431a1 /elf/dl-libc.c | |
parent | 0e3933b96344ab9c0ac633c19f4ebfdede5375d4 (diff) | |
download | glibc-0479b305c5b7c8e3fa8e3002982cf8cac02b842e.zip glibc-0479b305c5b7c8e3fa8e3002982cf8cac02b842e.tar.gz glibc-0479b305c5b7c8e3fa8e3002982cf8cac02b842e.tar.bz2 |
Fix invalid memory access in do_lookup_x.
[BZ #13579] Do not free l_initfini and allow it to be reused
on subsequent dl_open calls for the same library. This fixes
the invalid memory access in do_lookup_x when the previously
free'd l_initfini was accessed through l_searchlist when a
library had been opened for the second time.
Diffstat (limited to 'elf/dl-libc.c')
-rw-r--r-- | elf/dl-libc.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/elf/dl-libc.c b/elf/dl-libc.c index a58e216..af2e663 100644 --- a/elf/dl-libc.c +++ b/elf/dl-libc.c @@ -1,6 +1,5 @@ /* Handle loading and unloading shared objects for internal libc purposes. - Copyright (C) 1999-2002,2004-2006,2009,2010,2011 - Free Software Foundation, Inc. + Copyright (C) 1999-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Zack Weinberg <zack@rabi.columbia.edu>, 1999. @@ -269,13 +268,13 @@ libc_freeres_fn (free_mem) for (Lmid_t ns = 0; ns < GL(dl_nns); ++ns) { - /* Remove all additional names added to the objects. */ for (l = GL(dl_ns)[ns]._ns_loaded; l != NULL; l = l->l_next) { struct libname_list *lnp = l->l_libname->next; l->l_libname->next = NULL; + /* Remove all additional names added to the objects. */ while (lnp != NULL) { struct libname_list *old = lnp; @@ -283,6 +282,10 @@ libc_freeres_fn (free_mem) if (! old->dont_free) free (old); } + + /* Free the initfini dependency list. */ + if (l->l_free_initfini) + free (l->l_initfini); } if (__builtin_expect (GL(dl_ns)[ns]._ns_global_scope_alloc, 0) != 0 |