From ccb13e17325960c088f7ed25a73c91c5565db58c Mon Sep 17 00:00:00 2001
From: Juha Reunanen <juha.reunanen@tomaattinen.com>
Date: Tue, 7 Jul 2015 19:05:53 +0300
Subject: [PATCH] add sanity check in msg_t::rm_refs in order to avoid invalid
 memory access with u.zclmsg.refcnt

---
 src/msg.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/msg.cpp b/src/msg.cpp
index 73abb26e..07ce88e4 100644
--- a/src/msg.cpp
+++ b/src/msg.cpp
@@ -467,7 +467,7 @@ bool zmq::msg_t::rm_refs (int refs_)
     }
 
     //  The only message type that needs special care are long and zcopy messages.
-    if (!u.lmsg.content->refcnt.sub (refs_)) {
+    if (u.base.type == type_lmsg && !u.lmsg.content->refcnt.sub(refs_)) {
         //  We used "placement new" operator to initialize the reference
         //  counter so we call the destructor explicitly now.
         u.lmsg.content->refcnt.~atomic_counter_t ();
@@ -479,7 +479,7 @@ bool zmq::msg_t::rm_refs (int refs_)
         return false;
     }
 
-    if (!u.zclmsg.refcnt->sub (refs_)) {
+    if (is_zcmsg() && !u.zclmsg.refcnt->sub(refs_)) {
         // storage for rfcnt is provided externally
         if (u.zclmsg.ffn) {
             u.zclmsg.ffn(u.zclmsg.data, u.zclmsg.hint);