From: =?UTF-8?q?=E3=83=8E=E3=82=A6=E3=83=A9?= <nea@xxxxxxxx>
clear_alloc_state() freed all slabs and nulled the slabs pointer but
left slab_alloc, nr, and p unchanged. If the alloc_state is reused,
ALLOC_GROW() can wrongly assume that the slab array is already
allocated because slab_alloc still holds a stale nonzero capacity.
In that case s->slabs remains NULL and the next dereference writes
through a NULL pointer, causing undefined behavior.
To fix this, we reset slab_alloc, nr, and p to zero/NULL after
freeing the slabs. This leaves alloc_state in a consistent empty
state for reuse and avoids dangling pointers.
Signed-off-by: Noura EL ALLAM <nouraellm@xxxxxxxxx>
---
Reset slab_alloc and state fields in clear_alloc_state()
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-git-2040%2Fnouraellm%2Ffix-dangling-pointer-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-git-2040/nouraellm/fix-dangling-pointer-v1
Pull-Request: https://github.com/git/git/pull/2040
alloc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/alloc.c b/alloc.c
index 377e80f5dda..6bf9421c123 100644
--- a/alloc.c
+++ b/alloc.c
@@ -49,6 +49,9 @@ void clear_alloc_state(struct alloc_state *s)
}
FREE_AND_NULL(s->slabs);
+ s->slab_alloc = 0;
+ s->nr = 0;
+ s->p = NULL;
}
static inline void *alloc_node(struct alloc_state *s, size_t node_size)
base-commit: f814da676ae46aac5be0a98b99373a76dee6cedb
--
gitgitgadget
