diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2016-07-04 14:40:59 +0200 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2016-07-12 18:31:27 +0200 |
| commit | a942d8fa01f65279cdc135f4294db611bbc088ef (patch) | |
| tree | 53b1a60d73631a374879b545ff7b8c8c95e3c615 /qobject | |
| parent | 28ba61e7ff2a824e79a477192aee8ee20b95f194 (diff) | |
| download | qemu-a942d8fa01f65279cdc135f4294db611bbc088ef.tar.gz | |
json-streamer: fix double-free on exiting during a parse
Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call. To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.
Reported-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'qobject')
| -rw-r--r-- | qobject/json-streamer.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c index 7164390cf5..c51c2021f9 100644 --- a/qobject/json-streamer.c +++ b/qobject/json-streamer.c @@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input, { JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer); JSONToken *token; + GQueue *tokens; switch (type) { case JSON_LCURLY: @@ -96,9 +97,12 @@ out_emit: /* send current list of tokens to parser and reset tokenizer */ parser->brace_count = 0; parser->bracket_count = 0; - /* parser->emit takes ownership of parser->tokens. */ - parser->emit(parser, parser->tokens); + /* parser->emit takes ownership of parser->tokens. Remove our own + * reference to parser->tokens before handing it out to parser->emit. + */ + tokens = parser->tokens; parser->tokens = g_queue_new(); + parser->emit(parser, tokens); parser->token_size = 0; } |