--- subversion-1.10.2/subversion/libsvn_repos/authz.c	

+++ subversion-1.10.2/subversion/libsvn_repos/authz.c	

@@ -130,6 +130,30 @@

 static svn_object_pool__t *filtered_pool = NULL;

 static svn_atomic_t authz_pool_initialized = FALSE;

+/*

+ * Ensure that we will initialize authz again if the pool which

+ * our authz caches depend on is cleared.

+ *

+ * HTTPD may run pre/post config hooks multiple times and clear

+ * its global configuration pool which our authz pools depend on.

+ * This happens in a non-threaded context during HTTPD's intialization

+ * and HTTPD's main loop, so it is safe to reset static variables here.

+ * (And any applications which cleared this pool while SVN threads

+ * were running would crash no matter what.)

+ *

+ * See issue #4880, "Use-after-free of object-pools in

+ * subversion/libsvn_repos/authz.c when used as httpd module"

+ */

+static apr_status_t

+deinit_authz(void *data)

+{

+  /* The two object pools run their own cleanup handlers. */

+  authz_pool = NULL;

+  filtered_pool = NULL;

+  authz_pool_initialized = FALSE;

+  return APR_SUCCESS;

+}

+

 /* Implements svn_atomic__err_init_func_t. */

 static svn_error_t *

 synchronized_authz_initialize(void *baton, apr_pool_t *pool)

@@ -143,6 +167,7 @@

   SVN_ERR(svn_object_pool__create(&authz_pool, multi_threaded, pool));

   SVN_ERR(svn_object_pool__create(&filtered_pool, multi_threaded, pool));

+  apr_pool_cleanup_register(pool, NULL, deinit_authz, apr_pool_cleanup_null);

   return SVN_NO_ERROR;

 }