From: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Date: Fri, 29 Nov 2013 18:26:42 +0000 (-0500)
Subject: Fix ctf-writer: possible use after free
X-Git-Tag: v1.2.0-rc1~37
X-Git-Url: http://git.efficios.com/?p=babeltrace.git;a=commitdiff_plain;h=3a092c05c2cbc137ccf2ef90168540910d1653af

Fix ctf-writer: possible use after free

ctf_stream_pos' base_mma member must be copied from stream->pos before
updating the final packet and content sizes. The original base_mma
structure will be reallocated if the packet is resized.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---

diff --git a/formats/ctf/writer/stream.c b/formats/ctf/writer/stream.c
index ac894297..4efb3692 100644
--- a/formats/ctf/writer/stream.c
+++ b/formats/ctf/writer/stream.c
@@ -464,7 +464,10 @@ int bt_ctf_stream_flush(struct bt_ctf_stream *stream)
 	/*
 	 * Update the packet total size and content size and overwrite the
 	 * packet context.
+	 * Copy base_mma as the packet may have been remapped (e.g. when a
+	 * packet is resized).
 	 */
+	packet_context_pos.base_mma = stream->pos.base_mma;
 	ret = set_structure_field_integer(stream_class->packet_context,
 		"content_size", stream->pos.offset);
 	if (ret) {