From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vdavydov.dev@gmail.com>
Date: Tue, 17 Jul 2018 13:16:51 +0300
From: Vladimir Davydov <vdavydov.dev@gmail.com>
Subject: Re: [RFC PATCH 13/23] vinyl: fix potential use-after-free in
 vy_read_view_merge
Message-ID: <20180717101651.orzfksfyb2unc36c@esperanza>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <f07f3431379d298c8e292dd6b18893d6ece84118.1531065648.git.vdavydov.dev@gmail.com>
References: <cover.1531065648.git.vdavydov.dev@gmail.com>
 <f07f3431379d298c8e292dd6b18893d6ece84118.1531065648.git.vdavydov.dev@gmail.com>
To: tarantool-patches@freelists.org
Cc: kostja@tarantool.org
List-ID: <tarantool-patches.dev.tarantool.org>

On Sun, Jul 08, 2018 at 07:48:44PM +0300, Vladimir Davydov wrote:
> If is_first_insert flag is set and vy_stmt_type(rv->tuple) equals
> IPROTO_DELETE, we free rv->tuple, but then we dereference it via
> an on-stack variable to check if we need to turn a REPLACE into an
> INSERT or vice versa. Fix this.
> ---
>  src/box/vy_write_iterator.c | 18 +++++++++---------
>  1 file changed, 9 insertions(+), 9 deletions(-)

This one is trivial. I pushed it to 1.10.