shmpipe: Fix crash when sp_close_shm is called with self == NULL.

If sp_open_shm errors out trying to open a shm area, it would crash
when trying to free the area. The RETURN_ERROR macro calls
sp_shm_area_dec with self == NULL. sp_shm_area_dec calls
sp_shm_close, with self == NULL, which it then tries to access a
parameter of without checking. This patch checks to make sure
self != NULL before accessing that parameter.
This commit is contained in:
Olivier Crête 2010-04-07 19:05:37 -04:00
parent e8b4310aa6
commit b9decbb056

View file

@ -297,26 +297,27 @@ sp_open_shm (char *path, int id, int writer, mode_t perms, size_t size)
static void static void
sp_close_shm (ShmPipe * self, ShmArea * area) sp_close_shm (ShmPipe * self, ShmArea * area)
{ {
ShmArea *item = NULL;
ShmArea *prev_item = NULL;
assert (area->use_count == 0); assert (area->use_count == 0);
if (area->allocspace) if (area->allocspace)
shm_alloc_space_free (area->allocspace); shm_alloc_space_free (area->allocspace);
if (self != NULL) {
ShmArea *item = NULL;
ShmArea *prev_item = NULL;
for (item = self->shm_area; item; item = item->next) { for (item = self->shm_area; item; item = item->next) {
if (item == area) { if (item == area) {
if (prev_item) if (prev_item)
prev_item->next = item->next; prev_item->next = item->next;
else else
self->shm_area = item->next; self->shm_area = item->next;
break; break;
}
prev_item = item;
} }
prev_item = item; assert (item);
} }
assert (item);
if (area->shm_area != MAP_FAILED) if (area->shm_area != MAP_FAILED)
munmap (area->shm_area, area->shm_area_len); munmap (area->shm_area, area->shm_area_len);