From 3a092c05c2cbc137ccf2ef90168540910d1653af Mon Sep 17 00:00:00 2001
From: =?utf8?q?J=C3=A9r=C3=A9mie=20Galarneau?=
 <jeremie.galarneau@efficios.com>
Date: Fri, 29 Nov 2013 13:26:42 -0500
Subject: [PATCH] Fix ctf-writer: possible use after free
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

ctf_stream_pos' base_mma member must be copied from stream->pos before
updating the final packet and content sizes. The original base_mma
structure will be reallocated if the packet is resized.

Signed-off-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
 formats/ctf/writer/stream.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/formats/ctf/writer/stream.c b/formats/ctf/writer/stream.c
index ac894297..4efb3692 100644
--- a/formats/ctf/writer/stream.c
+++ b/formats/ctf/writer/stream.c
@@ -464,7 +464,10 @@ int bt_ctf_stream_flush(struct bt_ctf_stream *stream)
 	/*
 	 * Update the packet total size and content size and overwrite the
 	 * packet context.
+	 * Copy base_mma as the packet may have been remapped (e.g. when a
+	 * packet is resized).
 	 */
+	packet_context_pos.base_mma = stream->pos.base_mma;
 	ret = set_structure_field_integer(stream_class->packet_context,
 		"content_size", stream->pos.offset);
 	if (ret) {
-- 
2.34.1