| commit | f24582d6ad8a080e008974c000bf0ae635d036ac | |
| author | Laszlo Ersek <lersek@redhat.com> | |
| Tue, 20 Mar 2012 10:22:48 +0000 (20 11:22 +0100) | ||
| committer | Luiz Capitulino <lcapitulino@redhat.com> | |
| Tue, 27 Mar 2012 12:11:00 +0000 (27 09:11 -0300) | ||
| tree | 8724e20f9af9e8c9e6c8e3e90b2e94fb30a51d98 | treesnapshot (tar.gz zip) |
| parent | 8a22565b7c2d1920b02b94e7a8021c65895a3a22 | commitdiff |
qapi: fix double free in qmp_output_visitor_cleanup()
Stack entries in QmpOutputVisitor are navigation links (weak references),
except the bottom (ie. least recently added) entry, which owns the root
QObject [1]. Make qmp_output_visitor_cleanup() drop the stack entries,
then release the QObject tree by the root.
Attempting to serialize an invalid enum inside a dictionary is an example
for triggering the double free.
[1] http://lists.nongnu.org/archive/html/qemu-devel/2012-03/msg03276.html
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
Stack entries in QmpOutputVisitor are navigation links (weak references),
except the bottom (ie. least recently added) entry, which owns the root
QObject [1]. Make qmp_output_visitor_cleanup() drop the stack entries,
then release the QObject tree by the root.
Attempting to serialize an invalid enum inside a dictionary is an example
for triggering the double free.
[1] http://lists.nongnu.org/archive/html/qemu-devel/2012-03/msg03276.html
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Luiz Capitulino <lcapitulino@redhat.com>
| qapi/qmp-output-visitor.c | diffblobblamehistory |