From c0ba90e976d2b731c60b6faa8ae8de88f700b61a Mon Sep 17 00:00:00 2001 From: Simon Marchi Date: Wed, 16 Oct 2019 16:45:22 -0400 Subject: [PATCH] Fix: avoid double-free in build_index_from_idx_file If the validation at the end of build_index_from_idx_file fails, the index_entry variable will still point to the last processed index entry. That same entry will also have been added to the index->entries array. In the error path, we free index_entry and the index object, which frees that index entry twice. Fix it by clearing index_entry after adding the entry to the index object (the ownership is conceptually transferred). I don't add a test with this patch, because the file that triggers this bug now hits a bug further in the processing. That file will be added in the testsuite when it will no longer make babeltrace crash. Change-Id: I091785895541105273c5d07d49f35628c2682e30 Signed-off-by: Simon Marchi Reviewed-on: https://review.lttng.org/c/babeltrace/+/2211 Reviewed-by: Francis Deslauriers CI-Build: Francis Deslauriers Tested-by: jenkins --- src/plugins/ctf/fs-src/data-stream-file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/plugins/ctf/fs-src/data-stream-file.c b/src/plugins/ctf/fs-src/data-stream-file.c index 4f2c8375f..5f811214f 100644 --- a/src/plugins/ctf/fs-src/data-stream-file.c +++ b/src/plugins/ctf/fs-src/data-stream-file.c @@ -448,8 +448,11 @@ struct ctf_fs_ds_index *build_index_from_idx_file( total_packets_size += packet_size; file_pos += file_index_entry_size; - g_ptr_array_add(index->entries, index_entry); prev_index_entry = index_entry; + + /* Give ownership of `index_entry` to `index->entries`. */ + g_ptr_array_add(index->entries, index_entry); + index_entry = NULL; } /* Validate that the index addresses the complete stream. */