[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 12/56] json-streamer: fix double-free on exiting dur
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 12/56] json-streamer: fix double-free on exiting during a parse |
Date: |
Mon, 8 Aug 2016 16:03:43 -0500 |
From: Paolo Bonzini <address@hidden>
Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call. To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.
Reported-by: Changlong Xie <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit a942d8fa01f65279cdc135f4294db611bbc088ef)
Signed-off-by: Michael Roth <address@hidden>
---
qobject/json-streamer.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
index 7164390..c51c202 100644
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer,
GString *input,
{
JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
JSONToken *token;
+ GQueue *tokens;
switch (type) {
case JSON_LCURLY:
@@ -96,9 +97,12 @@ out_emit:
/* send current list of tokens to parser and reset tokenizer */
parser->brace_count = 0;
parser->bracket_count = 0;
- /* parser->emit takes ownership of parser->tokens. */
- parser->emit(parser, parser->tokens);
+ /* parser->emit takes ownership of parser->tokens. Remove our own
+ * reference to parser->tokens before handing it out to parser->emit.
+ */
+ tokens = parser->tokens;
parser->tokens = g_queue_new();
+ parser->emit(parser, tokens);
parser->token_size = 0;
}
--
1.9.1
- [Qemu-devel] [PATCH 00/56] Patch Round-up for stable 2.6.1, freeze on 2016-08-12, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 09/56] configure: Allow builds with extra warnings, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 10/56] migration: regain control of images when migration fails to complete, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 11/56] json-streamer: Don't leak tokens on incomplete parse, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 12/56] json-streamer: fix double-free on exiting during a parse,
Michael Roth <=
- [Qemu-devel] [PATCH 13/56] esp: check command buffer length before write(CVE-2016-4439), Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 15/56] block/nfs: refuse readahead if cache.direct is on, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 16/56] usb/ohci: Fix crash with when specifying too many num-ports, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 17/56] vga: add sr_vbe register set, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 14/56] esp: check dma length before reading scsi command(CVE-2016-4441), Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 22/56] Fix configure test for PBKDF2 in nettle, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 18/56] vfio: Fix broken EEH, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 20/56] nbd: Don't trim unrequested bytes, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 01/56] i386: kvmvapic: initialise imm32 variable, Michael Roth, 2016/08/08
- [Qemu-devel] [PATCH 19/56] block/iscsi: avoid potential overflow of acb->task->cdb, Michael Roth, 2016/08/08