From 50ce3eae5ba304650459d4441d7d246a7cefc26f Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Thu, 18 Jul 2019 17:27:24 +0200 Subject: gconv: Check reference count in __gconv_release_cache [BZ #24677] This fixes a regression introduced in commit 7e740ab2e7be7d83b75513aa406e0b10875f7f9c ("libio: Fix gconv-related memory leak [BZ #24583]"). __gconv_release_cache is only ever called with heap-allocated arrays which contain at least one member. The statically allocated ASCII steps are filtered out by __wcsmbs_close_conv. --- ChangeLog | 6 ++++++ iconv/gconv_cache.c | 9 ++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 31a6b38..dbdb85d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2019-07-25 Florian Weimer + + [BZ #24677] + * iconv/gconv_cache.c (__gconv_release_cache): Check reference + counter before freeing array. + 2019-07-24 H.J. Lu [BZ #24603] diff --git a/iconv/gconv_cache.c b/iconv/gconv_cache.c index 9a456bf..4db7287 100644 --- a/iconv/gconv_cache.c +++ b/iconv/gconv_cache.c @@ -446,9 +446,12 @@ __gconv_lookup_cache (const char *toset, const char *fromset, void __gconv_release_cache (struct __gconv_step *steps, size_t nsteps) { - if (gconv_cache != NULL) - /* The only thing we have to deallocate is the record with the - steps. */ + /* The only thing we have to deallocate is the record with the + steps. But do not do this if the reference counter is still + positive. This can happen if the steps array was cloned by + __wcsmbs_clone_conv. (The array elements have separate __counter + fields, but they are only out of sync temporarily.) */ + if (gconv_cache != NULL && steps->__counter == 0) free (steps); } -- cgit v1.1