json-streamer: fix double-free on exiting during a parse
Now that json-streamer tries not to leak tokens on incomplete parse, the tokens can be freed twice if QEMU destroys the json-streamer object during the parser->emit call. To fix this, create the new empty GQueue earlier, so that it is already in place when the old one is passed to parser->emit. Reported-by: Changlong Xie <xiecl.fnst@cn.fujitsu.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <1467636059-12557-1-git-send-email-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
parent
28ba61e7ff
commit
a942d8fa01
@ -39,6 +39,7 @@ static void json_message_process_token(JSONLexer *lexer, GString *input,
|
||||
{
|
||||
JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
|
||||
JSONToken *token;
|
||||
GQueue *tokens;
|
||||
|
||||
switch (type) {
|
||||
case JSON_LCURLY:
|
||||
@ -96,9 +97,12 @@ out_emit:
|
||||
/* send current list of tokens to parser and reset tokenizer */
|
||||
parser->brace_count = 0;
|
||||
parser->bracket_count = 0;
|
||||
/* parser->emit takes ownership of parser->tokens. */
|
||||
parser->emit(parser, parser->tokens);
|
||||
/* parser->emit takes ownership of parser->tokens. Remove our own
|
||||
* reference to parser->tokens before handing it out to parser->emit.
|
||||
*/
|
||||
tokens = parser->tokens;
|
||||
parser->tokens = g_queue_new();
|
||||
parser->emit(parser, tokens);
|
||||
parser->token_size = 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user