cryptospore / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone
Source Code
GIT

Blame SOURCES/kvm-json-streamer-fix-double-free-on-exiting-during-a-pa.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-stream-rhel c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   kvm-json-streamer-fix-double-free-on-exiting-during-a-pa.patch
Blob History Raw
34b321 
From a781053c1b5084ba32b86229b98b9601c990722c Mon Sep 17 00:00:00 2001
34b321 
From: Markus Armbruster <armbru@redhat.com>
34b321 
Date: Wed, 27 Jul 2016 07:35:13 +0200
34b321 
Subject: [PATCH 15/16] json-streamer: fix double-free on exiting during a
34b321 
 parse
34b321
34b321 
RH-Author: Markus Armbruster <armbru@redhat.com>
34b321 
Message-id: <1469604913-12442-17-git-send-email-armbru@redhat.com>
34b321 
Patchwork-id: 71484
34b321 
O-Subject: [RHEL-7.3 qemu-kvm PATCH v2 15/15] json-streamer: fix double-free on exiting during a parse
34b321 
Bugzilla: 1276036
34b321 
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
34b321 
RH-Acked-by: John Snow <jsnow@redhat.com>
34b321 
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
34b321
34b321 
From: Paolo Bonzini <pbonzini@redhat.com>
34b321
34b321 
Now that json-streamer tries not to leak tokens on incomplete parse,
34b321 
the tokens can be freed twice if QEMU destroys the json-streamer
34b321 
object during the parser->emit call.  To fix this, create the new
34b321 
empty GQueue earlier, so that it is already in place when the old
34b321 
one is passed to parser->emit.
34b321
34b321 
Reported-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com>
34b321 
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
34b321 
Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com>
34b321 
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
34b321 
(cherry picked from commit a942d8fa01f65279cdc135f4294db611bbc088ef)
34b321 
Signed-off-by: Markus Armbruster <armbru@redhat.com>
34b321 
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
34b321 
---
34b321 
 qobject/json-streamer.c | 8 ++++++--
34b321 
 1 file changed, 6 insertions(+), 2 deletions(-)
34b321
34b321 
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
34b321 
index 3c7d6be..7d041e1 100644
34b321 
--- a/qobject/json-streamer.c
34b321 
+++ b/qobject/json-streamer.c
34b321 
@@ -38,6 +38,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input,
34b321 
 {
34b321 
     JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
34b321 
     JSONToken *token;
34b321 
+    GQueue *tokens;
34b321
34b321 
     switch (type) {
34b321 
     case JSON_LCURLY:
34b321 
@@ -95,9 +96,12 @@ out_emit:
34b321 
     /* send current list of tokens to parser and reset tokenizer */
34b321 
     parser->brace_count = 0;
34b321 
     parser->bracket_count = 0;
34b321 
-    /* parser->emit takes ownership of parser->tokens.  */
34b321 
-    parser->emit(parser, parser->tokens);
34b321 
+    /* parser->emit takes ownership of parser->tokens.  Remove our own
34b321 
+     * reference to parser->tokens before handing it out to parser->emit.
34b321 
+     */
34b321 
+    tokens = parser->tokens;
34b321 
     parser->tokens = g_queue_new();
34b321 
+    parser->emit(parser, tokens);
34b321 
     parser->token_size = 0;
34b321 
 }
34b321
34b321 
--
34b321 
1.8.3.1
34b321

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation