On Mon, 07/04 14:40, Paolo Bonzini wrote:
> Now that json-streamer tries not to leak tokens on incomplete parse,
> the tokens can be freed twice if QEMU destroys the json-streamer
> object during the parser->emit call. To fix this, create the new
> empty GQueue earlier, so that it is already in place when the old
> one is passed to parser->emit.
>
> Reported-by: Changlong Xie <xiecl.f...@cn.fujitsu.com>
> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
Two meta questions:
Is there a reproducer and/or test case coverage?
Does qemu-stable need this?
Fam
> ---
> qobject/json-streamer.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/qobject/json-streamer.c b/qobject/json-streamer.c
> index 7164390..c51c202 100644
> --- a/qobject/json-streamer.c
> +++ b/qobject/json-streamer.c
> @@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer,
> GString *input,
> {
> JSONMessageParser *parser = container_of(lexer, JSONMessageParser,
> lexer);
> JSONToken *token;
> + GQueue *tokens;
>
> switch (type) {
> case JSON_LCURLY:
> @@ -96,9 +97,12 @@ out_emit:
> /* send current list of tokens to parser and reset tokenizer */
> parser->brace_count = 0;
> parser->bracket_count = 0;
> - /* parser->emit takes ownership of parser->tokens. */
> - parser->emit(parser, parser->tokens);
> + /* parser->emit takes ownership of parser->tokens. Remove our own
> + * reference to parser->tokens before handing it out to parser->emit.
> + */
> + tokens = parser->tokens;
> parser->tokens = g_queue_new();
> + parser->emit(parser, tokens);
> parser->token_size = 0;
> }
>
> --
> 1.8.3.1
>
>
