Log Message: |
Fix memory lifetime problem in a libsvn_wc error code path.
* subversion/libsvn_wc/wc_db_update_move.c
(suitable_for_move): Calling svn_sqlite__column_text() with a NULL result
pool twice means the result of the first call becomes invalid. Store the
child_relpath variable in a pool. It is passed to path_for_error_message()
later, after another call to svn_sqlite__column_text() with a NULL result
pool has already occurred.
Crash observed on OpenBSD:
#0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:125
#1 0x00000c38d5de6db7 in svn_dirent_join (
base=0xc38dfe1ef00 "/home/stsp/svn/svn-1.12.0/subversion/tests/libsvn_wc/svn-test-work/working-copies/move_update_subtree",
component=0xc390ca94fc8 '\337' <repeats 55 times>, <incomplete sequence \337><error: Cannot access memory at address 0xc390ca95000>, pool=0xc38eeceff00)
at subversion/libsvn_subr/dirent_uri.c:1007
#2 0x00000c38f686a815 in path_for_error_message (wcroot=0xc387ee3d300,
local_relpath=0xc390ca94fc8 '\337' <repeats 55 times>, <incomplete sequence \337><error: Cannot access memory at address 0xc390ca95000>,
result_pool=0xc38eeceff00) at subversion/libsvn_wc/wc_db_update_move.c:167
#3 0x00000c38f686ad1f in suitable_for_move (wcroot=0xc387ee3d300,
local_relpath=0xc387efe4ce0 "A/B", scratch_pool=0xc38eeceff00)
at subversion/libsvn_wc/wc_db_update_move.c:2192
|