From 1d0997bb751d652e40851bb4ea6354d2eebcb2c2 Mon Sep 17 00:00:00 2001 From: Markus Armbruster Date: Wed, 27 Jul 2016 08:06:32 +0200 Subject: [PATCH 15/16] json-streamer: fix double-free on exiting during a parse RH-Author: Markus Armbruster Message-id: <1469606792-13115-3-git-send-email-armbru@redhat.com> Patchwork-id: 71486 O-Subject: [RHEV-7.3 qemu-kvm-rhev PATCH 2/2] json-streamer: fix double-free on exiting during a parse Bugzilla: 1360612 RH-Acked-by: Miroslav Rezanina RH-Acked-by: Laurent Vivier RH-Acked-by: Laszlo Ersek From: Paolo Bonzini Now that json-streamer tries not to leak tokens on incomplete parse, the tokens can be freed twice if QEMU destroys the json-streamer object during the parser->emit call. To fix this, create the new empty GQueue earlier, so that it is already in place when the old one is passed to parser->emit. Reported-by: Changlong Xie Signed-off-by: Paolo Bonzini Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini (cherry picked from commit a942d8fa01f65279cdc135f4294db611bbc088ef) Signed-off-by: Markus Armbruster Signed-off-by: Miroslav Rezanina --- qobject/json-streamer.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c index 7164390..c51c202 100644 --- a/qobject/json-streamer.c +++ b/qobject/json-streamer.c @@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input, { JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer); JSONToken *token; + GQueue *tokens; switch (type) { case JSON_LCURLY: @@ -96,9 +97,12 @@ out_emit: /* send current list of tokens to parser and reset tokenizer */ parser->brace_count = 0; parser->bracket_count = 0; - /* parser->emit takes ownership of parser->tokens. */ - parser->emit(parser, parser->tokens); + /* parser->emit takes ownership of parser->tokens. Remove our own + * reference to parser->tokens before handing it out to parser->emit. + */ + tokens = parser->tokens; parser->tokens = g_queue_new(); + parser->emit(parser, tokens); parser->token_size = 0; } -- 1.8.3.1