From 30d5d27e60802c0443bcdeb620d3ecbac90b7fc0 Mon Sep 17 00:00:00 2001
From: Joakim Tjernlund <joakim.tjernlund@transmode.se>
Date: Wed, 24 Aug 2005 17:29:05 +0000
Subject: Frank Mehnert writes: I use an implementation for malloc()/free()
 which is sensible about using data after freed. In libdl.c, rpnt1->next->next
 is accessed after rpnt1->next is freed. Attached patch fixes that problem.

---
 ldso/libdl/libdl.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'ldso')

diff --git a/ldso/libdl/libdl.c b/ldso/libdl/libdl.c
index 08952094c..f8f90dfb7 100644
--- a/ldso/libdl/libdl.c
+++ b/ldso/libdl/libdl.c
@@ -452,7 +452,7 @@ void *dlsym(void *vhandle, const char *name)
 
 static int do_dlclose(void *vhandle, int need_fini)
 {
-	struct dyn_elf *rpnt, *rpnt1;
+	struct dyn_elf *rpnt, *rpnt1, *rpnt1_tmp;
 	struct init_fini_list *runp, *tmp;
 	ElfW(Phdr) *ppnt;
 	struct elf_resolve *tpnt, *run_tpnt;
@@ -541,8 +541,9 @@ static int do_dlclose(void *vhandle, int need_fini)
 					for (rpnt1 = _dl_symbol_tables; rpnt1->next; rpnt1 = rpnt1->next) {
 						if (rpnt1->next->dyn == tpnt) {
 							_dl_if_debug_print("removing symbol_tables: %s\n", tpnt->libname);
+							rpnt1_tmp = rpnt1->next->next;
 							free(rpnt1->next);
-							rpnt1->next = rpnt1->next->next;
+							rpnt1->next = rpnt1_tmp;
 							if (rpnt1->next)
 								rpnt1->next->prev = rpnt1;
 							break;
-- 
cgit v1.2.3