MDEV-22903 heap-use-after-free while accessing fts cache deleted doc ids
Problem: ======= fts_cache_append_deleted_doc_ids() holds the deleted_lock and tries to access size of deleted_doc_ids. In the meantime, fts_cache_clear() clears the sync_heap before clearing deleted_doc_ids. It leads to invalid access of deleted_doc_ids. Fix: === fts_cache_clear() should free the sync_heap after clearing deleted_doc_ids.
This commit is contained in:
parent
52ccedd6dd
commit
adeb736f9a
@ -1127,14 +1127,14 @@ fts_cache_clear(
|
||||
index_cache->doc_stats = NULL;
|
||||
}
|
||||
|
||||
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
|
||||
cache->sync_heap->arg = NULL;
|
||||
|
||||
cache->total_size = 0;
|
||||
|
||||
mutex_enter((ib_mutex_t*) &cache->deleted_lock);
|
||||
cache->deleted_doc_ids = NULL;
|
||||
mutex_exit((ib_mutex_t*) &cache->deleted_lock);
|
||||
|
||||
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
|
||||
cache->sync_heap->arg = NULL;
|
||||
}
|
||||
|
||||
/*********************************************************************//**
|
||||
|
@ -1127,14 +1127,14 @@ fts_cache_clear(
|
||||
index_cache->doc_stats = NULL;
|
||||
}
|
||||
|
||||
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
|
||||
cache->sync_heap->arg = NULL;
|
||||
|
||||
cache->total_size = 0;
|
||||
|
||||
mutex_enter((ib_mutex_t*) &cache->deleted_lock);
|
||||
cache->deleted_doc_ids = NULL;
|
||||
mutex_exit((ib_mutex_t*) &cache->deleted_lock);
|
||||
|
||||
mem_heap_free(static_cast<mem_heap_t*>(cache->sync_heap->arg));
|
||||
cache->sync_heap->arg = NULL;
|
||||
}
|
||||
|
||||
/*********************************************************************//**
|
||||
|
Loading…
x
Reference in New Issue
Block a user