Fix: avoid double-free in build_index_from_idx_file
authorSimon Marchi <simon.marchi@efficios.com>
Wed, 16 Oct 2019 20:45:22 +0000 (16:45 -0400)
committerJérémie Galarneau <jeremie.galarneau@efficios.com>
Thu, 17 Oct 2019 19:53:02 +0000 (15:53 -0400)
If the validation at the end of build_index_from_idx_file fails, the
index_entry variable will still point to the last processed index entry.
That same entry will also have been added to the index->entries array.

In the error path, we free index_entry and the index object, which frees
that index entry twice.

Fix it by clearing index_entry after adding the entry to the index
object (the ownership is conceptually transferred).

I don't add a test with this patch, because the file that triggers this
bug now hits a bug further in the processing.  That file will be added
in the testsuite when it will no longer make babeltrace crash.

Change-Id: I091785895541105273c5d07d49f35628c2682e30
Signed-off-by: Simon Marchi <simon.marchi@efficios.com>
Reviewed-on: https://review.lttng.org/c/babeltrace/+/2211
Reviewed-by: Francis Deslauriers <francis.deslauriers@efficios.com>
CI-Build: Francis Deslauriers <francis.deslauriers@efficios.com>
Tested-by: jenkins <jenkins@lttng.org>
src/plugins/ctf/fs-src/data-stream-file.c

index 4f2c8375f5b32efe1e15eb0474ccd302f80cfced..5f811214f917634a980854e1dd2cf3fe1f14adbc 100644 (file)
@@ -448,8 +448,11 @@ struct ctf_fs_ds_index *build_index_from_idx_file(
                total_packets_size += packet_size;
                file_pos += file_index_entry_size;
 
-               g_ptr_array_add(index->entries, index_entry);
                prev_index_entry = index_entry;
+
+               /* Give ownership of `index_entry` to `index->entries`. */
+               g_ptr_array_add(index->entries, index_entry);
+               index_entry = NULL;
        }
 
        /* Validate that the index addresses the complete stream. */
This page took 0.02699 seconds and 4 git commands to generate.