When it's the last item that is removed int_thread_hash == hash and we would
still call int_thread_release(&hash) while hash is already freed. So
int_thread_release would compare that dangling pointer to NULL which is
undefined behaviour. Instead do already what int_thread_release() would do,
and make the call do nothing instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
RT: #4155, MR: #1519
if (int_thread_hash_references == 1
&& int_thread_hash
&& lh_ERR_STATE_num_items(int_thread_hash) == 0) {
+ int_thread_hash_references = 0;
lh_ERR_STATE_free(int_thread_hash);
int_thread_hash = NULL;
+ hash = NULL;
}
}
CRYPTO_w_unlock(CRYPTO_LOCK_ERR);