jcs.org
qemu with hax to log dma reads & writes
jcs.org/2018/11/12/vfio
json-streamer: fix double-free on exiting during a parse
Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call. To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.
Reported-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+6
-2
+6
-2
qobject/json-streamer.c
+6
-2
qobject/json-streamer.c
···
39
39
{
40
40
JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
41
41
JSONToken *token;
42
+
GQueue *tokens;
42
43
43
44
switch (type) {
44
45
case JSON_LCURLY:
···
96
97
/* send current list of tokens to parser and reset tokenizer */
97
98
parser->brace_count = 0;
98
99
parser->bracket_count = 0;
99
-
/* parser->emit takes ownership of parser->tokens. */
100
-
parser->emit(parser, parser->tokens);
100
+
/* parser->emit takes ownership of parser->tokens. Remove our own
101
+
* reference to parser->tokens before handing it out to parser->emit.
102
+
*/
103
+
tokens = parser->tokens;
101
104
parser->tokens = g_queue_new();
105
+
parser->emit(parser, tokens);
102
106
parser->token_size = 0;
103
107
}
104
108