From: Jeff Law <law@redhat.com>
Date: Thu, 21 Jun 2012 23:15:38 +0000 (-0600)
Subject:         [BZ #14277]
X-Git-Tag: glibc-2.16-tps~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=006dd86111c44572dbd3b26e9c63dd0f834d7762;p=thirdparty%2Fglibc.git

    [BZ #14277]
        * intl/dcigettext.c (_nl_find_msg): Avoid use after potential
        free.  Simplify list management for _LIBC case.
---

diff --git a/ChangeLog b/ChangeLog
index f9ccbe6e3bd..6f3676f78a7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2012-06-21  Jeff Law  <law@redhat.com>
+
+	[BZ #14277]
+	* intl/dcigettext.c (_nl_find_msg): Avoid use after potential
+	free.  Simplify list management for _LIBC case.
+
 2012-06-21  Joseph Myers  <joseph@codesourcery.com>
 
 	[BZ #14273]
diff --git a/NEWS b/NEWS
index 8797a6bae70..1ce8ee3508a 100644
--- a/NEWS
+++ b/NEWS
@@ -30,7 +30,7 @@ Version 2.16
   13983, 13986, 13996, 14012, 14027, 14033, 14034, 14036, 14040, 14043,
   14044, 14048, 14049, 14050, 14053, 14055, 14059, 14064, 14075, 14080,
   14083, 14103, 14104, 14109, 14112, 14117, 14122, 14123, 14134, 14153,
-  14183, 14188, 14199, 14210, 14218, 14229, 14241, 14273, 14278
+  14183, 14188, 14199, 14210, 14218, 14229, 14241, 14273, 14277, 14278
 
 * Support for the x32 ABI on x86-64 added.  The x32 target is selected by
   configuring glibc with:
diff --git a/intl/dcigettext.c b/intl/dcigettext.c
index f6b757379c8..fcd1c785cde 100644
--- a/intl/dcigettext.c
+++ b/intl/dcigettext.c
@@ -1155,7 +1155,7 @@ _nl_find_msg (domain_file, domainbinding, msgid, convert, lengthp)
 							     freemem_size);
 # ifdef _LIBC
 		      if (newmem != NULL)
-			transmem_list = transmem_list->next;
+			transmem_list = newmem;
 		      else
 			{
 			  struct transmem_list *old = transmem_list;
@@ -1170,6 +1170,12 @@ _nl_find_msg (domain_file, domainbinding, msgid, convert, lengthp)
 		      malloc_count = 1;
 		      freemem_size = INITIAL_BLOCK_SIZE;
 		      newmem = (transmem_block_t *) malloc (freemem_size);
+# ifdef _LIBC
+		      /* Add the block to the list of blocks we have to free
+			 at some point.  */
+		      newmem->next = transmem_list;
+		      transmem_list = newmem;
+# endif
 		    }
 		  if (__builtin_expect (newmem == NULL, 0))
 		    {
@@ -1180,11 +1186,6 @@ _nl_find_msg (domain_file, domainbinding, msgid, convert, lengthp)
 		    }
 
 # ifdef _LIBC
-		  /* Add the block to the list of blocks we have to free
-		     at some point.  */
-		  newmem->next = transmem_list;
-		  transmem_list = newmem;
-
 		  freemem = (unsigned char *) newmem->data;
 		  freemem_size -= offsetof (struct transmem_list, data);
 # else