[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 05/14] json-streamer: fix double-free on exiting duri
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 05/14] json-streamer: fix double-free on exiting during a parse |
Date: |
Wed, 13 Jul 2016 15:26:23 +0200 |
Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call. To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.
Reported-by: Changlong Xie <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
qobject/json-streamer.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 7164390..c51c202 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer,
GString *input,
{
JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
JSONToken *token;
+ GQueue *tokens;
switch (type) {
case JSON_LCURLY:
@@ -96,9 +97,12 @@ out_emit:
/* send current list of tokens to parser and reset tokenizer */
parser->brace_count = 0;
parser->bracket_count = 0;
- /* parser->emit takes ownership of parser->tokens. */
- parser->emit(parser, parser->tokens);
+ /* parser->emit takes ownership of parser->tokens. Remove our own
+ * reference to parser->tokens before handing it out to parser->emit.
+ */
+ tokens = parser->tokens;
parser->tokens = g_queue_new();
+ parser->emit(parser, tokens);
parser->token_size = 0;
}
--
1.8.3.1
- [Qemu-devel] [PULL 00/14] SCSI, chardev, build fixes for 2016-07-13, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 04/14] main-loop: check return value before using pointer, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 03/14] Use "-s" instead of "--quiet" to resolve non-fatal build error on FreeBSD., Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 05/14] json-streamer: fix double-free on exiting during a parse,
Paolo Bonzini <=
- [Qemu-devel] [PULL 06/14] disas: avoid including everything in headers compiled from C++, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 08/14] util: Fix MIN_NON_ZERO, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 01/14] scsi-bus: Add SCSI scanner support, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 02/14] scsi-bus: Use longer sense buffer with scanners, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 09/14] tap: use an exit notifier to call down_script, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 07/14] qemu-sockets: use qapi_free_SocketAddress in cleanup, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 10/14] slirp: use exit notifier for slirp_smb_cleanup, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 11/14] net: do not use atexit for cleanup, Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 13/14] hostmem: fix QEMU crash by 'info memdev', Paolo Bonzini, 2016/07/13
- [Qemu-devel] [PULL 12/14] char: do not use atexit cleanup handler, Paolo Bonzini, 2016/07/13