Summary: Fix segv in RefCount operator=.

Keywords:

When a cycle is broken for refcounted objects, if the breaking smart pointer is in one of the cycled objects, and is freed as a result, we could end up assigned to freed RAM.

diff --git a/include/RefCount.h b/include/RefCount.h
index d64693173175206f40e6919e8335dcb5e3b56810..03dec83c30d410b97c753117757c9d2c759cb08e 100644 (file)
--- a/include/RefCount.h
+++ b/include/RefCount.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: RefCount.h,v 1.5 2003/03/15 04:17:38 robertc Exp $
+ * $Id: RefCount.h,v 1.6 2003/06/23 11:14:52 robertc Exp $
  *
  * DEBUG: section xx    Refcount allocator
  * AUTHOR:  Robert Collins
@@ -62,8 +62,7 @@ public:
         // This preserves semantics on self assignment
         C const *newP_ = p.p_;
         reference(p);
-        dereference();
-        p_ = newP_;
+        dereference(newP_);
         return *this;
     }
 
@@ -90,12 +89,16 @@ public:
     }
 
 private:
-    void dereference()
+    void dereference(C const *newP = NULL)
     {
-        if (p_ && p_->RefCountDereference() == 0)
-            p_->deleteSelf();
-
-        p_ = NULL;
+        /* Setting p_ first is important:
+        * we may be freed ourselves as a result of
+        * p_->deleteSelf();
+        */
+        C const *tempP_ (p_);
+       p_ = newP;
+        if (tempP_ && tempP_->RefCountDereference() == 0)
+            tempP_->deleteSelf();
     }
 
     void reference (const RefCount& p)