Patch for a bug in server/select.c
Bang Jun-Young
bjy at mogua.org
Wed May 16 09:14:16 CDT 2001
ChangeLog:
* server/select.c:
Bang Jun-Young <bjy at mogua.org>
Call poll_event() only if pollfd[i].revents has no error bit
set as a result of poll().
Description:
select_loop() in server/select.c has a serious problem that
causes a segmentation fault in certain condition. Take a look
at the following code:
ret = poll( pollfd, nb_users, diff );
sigprocmask( SIG_BLOCK, &sigset, NULL );
if (ret > 0)
{
int i;
for (i = 0; i < nb_users; i++)
{
if (pollfd[i].revents)
{
poll_users[i]->ops->poll_event( poll_users[i], pollfd[i].revents );
if (!--ret) break;
}
}
}
}
Suppose that
ret = poll( pollfd, nb_users, diff );
has returned an error bit (either of POLLERR, POLLHUP, or POLLNVAL)
set in pollfd[].revents. Those error codes are defined in positive
numbers in poll.h, so in this case when
poll_users[i]->ops->poll_event( poll_users[i], pollfd[i].revents );
is called, it tries to get an access to an already freed function and
causes a segfault.
Jun-Young
--
Bang Jun-Young <bjy at mogua.org>
-------------- next part --------------
--- server/select.c.orig Tue Jan 25 10:40:27 2000
+++ server/select.c Tue May 1 15:58:52 2001
@@ -257,7 +257,8 @@
int i;
for (i = 0; i < nb_users; i++)
{
- if (pollfd[i].revents)
+ if (pollfd[i].revents &&
+ !(pollfd[i].revents & (POLLERR | POLLHUP | POLLNVAL)))
{
poll_users[i]->ops->poll_event( poll_users[i], pollfd[i].revents );
if (!--ret) break;
More information about the wine-patches
mailing list