Fix: avoid double-free in build_index_from_idx_file

If the validation at the end of build_index_from_idx_file fails, the index_entry variable will still point to the last processed index entry. That same entry will also have been added to the index->entries array. In the error path, we free index_entry and the index object, which frees that index entry twice. Fix it by clearing index_entry after adding the entry to the index object (the ownership is conceptually transferred). I don't add a test with this patch, because the file that triggers this bug now hits a bug further in the processing. That file will be added in the testsuite when it will no longer make babeltrace crash. Change-Id: I091785895541105273c5d07d49f35628c2682e30 Signed-off-by: Simon Marchi <[email protected]> Reviewed-on: https://review.lttng.org/c/babeltrace/+/2211 Reviewed-by: Francis Deslauriers <[email protected]> CI-Build: Francis Deslauriers <[email protected]> Tested-by: jenkins <[email protected]>
efficios · Oct 17, 2019 · c0ba90e · c0ba90e
1 parent a7d6bdf
commit c0ba90e
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/src/plugins/ctf/fs-src/data-stream-file.c b/src/plugins/ctf/fs-src/data-stream-file.c
@@ -448,8 +448,11 @@ struct ctf_fs_ds_index *build_index_from_idx_file(
 		total_packets_size += packet_size;
 		file_pos += file_index_entry_size;
 
-		g_ptr_array_add(index->entries, index_entry);
 		prev_index_entry = index_entry;
+
+		/* Give ownership of `index_entry` to `index->entries`. */
+		g_ptr_array_add(index->entries, index_entry);
+		index_entry = NULL;
 	}
 
 	/* Validate that the index addresses the complete stream. */