Commit a942d8fa authored by Paolo Bonzini's avatar Paolo Bonzini
Browse files

json-streamer: fix double-free on exiting during a parse 



Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call.  To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.

Reported-by: default avatarChanglong Xie <xiecl.fnst@cn.fujitsu.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 28ba61e7

qobject/json-streamer.c

+6 −2
Original line number Diff line number Diff line
@@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input, 
{

    JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);

    JSONToken *token;

    GQueue *tokens;



    switch (type) {

    case JSON_LCURLY:
@@ -96,9 +97,12 @@ out_emit: 
    /* send current list of tokens to parser and reset tokenizer */

    parser->brace_count = 0;

    parser->bracket_count = 0;

    /* parser->emit takes ownership of parser->tokens.  */

    parser->emit(parser, parser->tokens);

    /* parser->emit takes ownership of parser->tokens.  Remove our own

     * reference to parser->tokens before handing it out to parser->emit.

     */

    tokens = parser->tokens;

    parser->tokens = g_queue_new();

    parser->emit(parser, tokens);

    parser->token_size = 0;

}