| Message ID | 20221021014359.4656-1-shangxiaojing@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 4c79560b5a6c71f84e6731fd37f35ffb4e3837a6 |
| Headers | show |
| Series | libtraceevent: Fix double free in event_read_fields() | expand |
diff --git a/src/event-parse.c b/src/event-parse.c index a0d7da5..d842f9d 100644 --- a/src/event-parse.c +++ b/src/event-parse.c @@ -1779,7 +1779,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field ** ret = append(&brackets, "", "]"); if (ret < 0) { free(brackets); - goto fail; + goto fail_expect; } /* add brackets to type */
There is a double free in event_read_fields(). After calling free_token() to free the token, if append() failed, then goto fail, which will call free_token() again. Triggered by compiling with perf and run "perf sched record". Fix the double free by goto fail_expect instead of fail while append() failed, which won't call redundant free_token(). BUG: double free free(): double free detected in tcache 2 Aborted Fixes: ae6c0749ca74 ("tools lib traceevent: Handle realloc() failure path") Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com> --- src/event-parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)