From: robertc <>
Date: Mon, 23 Jun 2003 17:14:52 +0000 (+0000)
Subject: Summary: Fix segv in RefCount operator=.
X-Git-Tag: SQUID_3_0_PRE1~92
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db812f897f548f30a2df8ad854f84490f3f8dded;p=thirdparty%2Fsquid.git

Summary: Fix segv in RefCount operator=.
Keywords:

When a cycle is broken for refcounted objects, if the breaking smart pointer is in one of the cycled objects, and is freed as a result, we could end up assigned to freed RAM.
---

diff --git a/include/RefCount.h b/include/RefCount.h
index d646931731..03dec83c30 100644
--- a/include/RefCount.h
+++ b/include/RefCount.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: RefCount.h,v 1.5 2003/03/15 04:17:38 robertc Exp $
+ * $Id: RefCount.h,v 1.6 2003/06/23 11:14:52 robertc Exp $
  *
  * DEBUG: section xx    Refcount allocator
  * AUTHOR:  Robert Collins
@@ -62,8 +62,7 @@ public:
         // This preserves semantics on self assignment
         C const *newP_ = p.p_;
         reference(p);
-        dereference();
-        p_ = newP_;
+        dereference(newP_);
         return *this;
     }
 
@@ -90,12 +89,16 @@ public:
     }
 
 private:
-    void dereference()
+    void dereference(C const *newP = NULL)
     {
-        if (p_ && p_->RefCountDereference() == 0)
-            p_->deleteSelf();
-
-        p_ = NULL;
+        /* Setting p_ first is important:
+	 * we may be freed ourselves as a result of
+	 * p_->deleteSelf();
+	 */
+        C const *tempP_ (p_);
+	p_ = newP;
+        if (tempP_ && tempP_->RefCountDereference() == 0)
+            tempP_->deleteSelf();
     }
 
     void reference (const RefCount& p)