From 4bf5dba0b7bf6b7e6857ac1d1a145a2e47bfce66 Mon Sep 17 00:00:00 2001
From: Arne Goedeke <el@laramies.com>
Date: Tue, 2 Jul 2013 22:29:47 +0200
Subject: [PATCH] block_alloc: possible use after free

---
 src/block_alloc.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/block_alloc.h b/src/block_alloc.h
index 3317f4150e..ec4c02e7ef 100644
--- a/src/block_alloc.h
+++ b/src/block_alloc.h
@@ -99,10 +99,12 @@
 #endif
 
 #define WALK_NONFREE_BLOCKS(DATA, BLOCK, FCOND, CODE)	do {		\
-    struct PIKE_CONCAT(DATA,_block) * p;				\
-    for(p=PIKE_CONCAT(DATA,_blocks);p;p=p->next) {			\
+    struct PIKE_CONCAT(DATA,_block) * p, * np;				\
+    p = PIKE_CONCAT(DATA,_blocks);					\
+    while (p) {								\
 	int n = p->used;						\
 	int i;								\
+	np = p->next;							\
 	for (i = 0; n && i < (sizeof(p->x)/sizeof(struct DATA)); i++) {	\
 	    BLOCK = &p->x[i];						\
 	    if (FCOND) {						\
@@ -110,6 +112,7 @@
 		--n;							\
 	    }								\
 	}								\
+	p = np;								\
     }									\
 } while(0)
 
-- 
GitLab