From: Nick Alcock <nick.alcock@oracle.com>
Date: Thu, 6 Nov 2025 16:30:23 +0000 (+0000)
Subject: libctf: ctf_dynhash_next_remove: fix crash on error case
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57272443e203f77e53e59d6d5a63e3342a497c9b;p=thirdparty%2Fbinutils-gdb.git

libctf: ctf_dynhash_next_remove: fix crash on error case

If this is called on an errored-out or freed iterator, it's meant to do
nothing, just like free().  Instead, it dereferences a null pointer due
to a couple of early tests being done in the wrong order.

Fix that.

libctf/
	* ctf-hash.c (ctf_dynhash_next_remove): Check for null iterator
	before dereferencing it.
---

diff --git a/libctf/ctf-hash.c b/libctf/ctf-hash.c
index d8941420f00..ac0e3cb783c 100644
--- a/libctf/ctf-hash.c
+++ b/libctf/ctf-hash.c
@@ -598,12 +598,12 @@ ctf_dynhash_next_remove (ctf_next_t * const *it)
 {
   ctf_next_t *i = *it;
 
-  if ((void (*) (void)) ctf_dynhash_next != i->ctn_iter_fun)
-    return ECTF_NEXT_WRONGFUN;
-
   if (!i)
     return ECTF_NEXT_END;
 
+  if ((void (*) (void)) ctf_dynhash_next != i->ctn_iter_fun)
+    return ECTF_NEXT_WRONGFUN;
+
   if (i->ctn_n == 0)
     return ECTF_NEXT_END;