Author: Honza Horak License: BSD Error: USE_AFTER_FREE (CWE-825): mysql-5.5.32/client/mysqltest.cc:7800: freed_arg: "mysql_stmt_close(MYSQL_STMT *)" frees "stmt". mysql-5.5.32/libmysql/libmysql.c:4685:3: freed_arg: "my_free(void *)" frees parameter "stmt". mysql-5.5.32/mysys/my_malloc.c:134:3: freed_arg: "free(void *)" frees parameter "ptr". mysql-5.5.32/client/mysqltest.cc:7810: deref_arg: Calling "mysql_stmt_errno(MYSQL_STMT *)" dereferences freed pointer "stmt". mysql-5.5.32/libmysql/libmysql.c:4717:3: deref_parm: Directly dereferencing parameter "stmt". Error: USE_AFTER_FREE (CWE-825): mysql-5.5.32/mysys/my_malloc.c:110: freed_arg: "my_free(void *)" frees "oldpoint". mysql-5.5.32/mysys/my_malloc.c:134:3: freed_arg: "free(void *)" frees parameter "ptr". mysql-5.5.32/mysys/my_malloc.c:112: use_after_free: Using freed pointer "oldpoint". Error: USE_AFTER_FREE (CWE-825): mysql-5.5.32/mysys/my_copy.c:98: closed_arg: "my_close(File, myf)" closes "from_file". mysql-5.5.32/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd". mysql-5.5.32/mysys/my_copy.c:136: double_close: Calling "my_close(File, myf)" closes handle "from_file" which has already been closed. mysql-5.5.32/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd". Error: USE_AFTER_FREE (CWE-825): mysql-5.5.32/mysys/my_copy.c:98: closed_arg: "my_close(File, myf)" closes "to_file". mysql-5.5.32/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd". mysql-5.5.32/mysys/my_copy.c:139: double_close: Calling "my_close(File, myf)" closes handle "to_file" which has already been closed. mysql-5.5.32/mysys/my_open.c:77:5: closed_arg: "close(int)" closes parameter "fd". diff -up mysql-5.5.30/client/mysqltest.cc.broken mysql-5.5.30/client/mysqltest.cc --- mysql-5.5.30/client/mysqltest.cc.broken 2013-04-10 14:37:57.135806903 +0200 +++ mysql-5.5.30/client/mysqltest.cc 2013-04-10 14:38:06.160836622 +0200 @@ -7788,13 +7788,6 @@ end: } revert_properties(); - /* Close the statement if - no reconnect, need new prepare */ - if (mysql->reconnect) - { - mysql_stmt_close(stmt); - cur_con->stmt= NULL; - } - /* We save the return code (mysql_stmt_errno(stmt)) from the last call sent to the server into the mysqltest builtin variable $mysql_errno. This @@ -7803,6 +7796,13 @@ end: var_set_errno(mysql_stmt_errno(stmt)); + /* Close the statement if - no reconnect, need new prepare */ + if (mysql->reconnect) + { + mysql_stmt_close(stmt); + cur_con->stmt= NULL; + } + DBUG_VOID_RETURN; } diff -up mysql-5.5.30/mysys/my_copy.c.broken mysql-5.5.30/mysys/my_copy.c --- mysql-5.5.30/mysys/my_copy.c.broken 2013-04-10 14:42:25.707600738 +0200 +++ mysql-5.5.30/mysys/my_copy.c 2013-04-10 14:44:23.987862849 +0200 @@ -98,6 +98,9 @@ int my_copy(const char *from, const char if (my_close(from_file,MyFlags) | my_close(to_file,MyFlags)) DBUG_RETURN(-1); /* Error on close */ + /* Reinitialize closed fd, so they won't be closed again */ + from_file = to_file = -1; + /* Copy modes if possible */ if (MyFlags & MY_HOLD_ORIGINAL_MODES && !new_file_stat) diff -up mysql-5.5.32/mysys/my_malloc.c.p34 mysql-5.5.32/mysys/my_malloc.c --- mysql-5.5.32/mysys/my_malloc.c.p34 2013-06-19 13:56:58.325308657 +0200 +++ mysql-5.5.32/mysys/my_malloc.c 2013-06-19 13:57:47.369307799 +0200 @@ -90,13 +90,13 @@ void *my_realloc(void *oldpoint, size_t #ifdef USE_HALLOC if (!(point = malloc(size))) { - if (my_flags & MY_FREE_ON_ERROR) - my_free(oldpoint); if (my_flags & MY_HOLD_ON_ERROR) DBUG_RETURN(oldpoint); my_errno=errno; if (my_flags & MY_FAE+MY_WME) my_error(EE_OUTOFMEMORY, MYF(ME_BELL + ME_WAITTANG + ME_FATALERROR),size); + if (my_flags & MY_FREE_ON_ERROR) + my_free(oldpoint); } else { @@ -106,13 +106,13 @@ void *my_realloc(void *oldpoint, size_t #else if ((point= realloc(oldpoint, size)) == NULL) { - if (my_flags & MY_FREE_ON_ERROR) - my_free(oldpoint); if (my_flags & MY_HOLD_ON_ERROR) DBUG_RETURN(oldpoint); my_errno=errno; if (my_flags & (MY_FAE+MY_WME)) my_error(EE_OUTOFMEMORY, MYF(ME_BELL + ME_WAITTANG + ME_FATALERROR), size); + if (my_flags & MY_FREE_ON_ERROR) + my_free(oldpoint); } #endif DBUG_PRINT("exit",("ptr: %p", point));