[v2,1/3] libtraceevent: Fix double free in parsing sizeof()

Commit Message

Steven Rostedt March 24, 2023, 8:09 p.m. UTC

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

Google's fuzz testing caught a double free in process_sizeof(). If "ok" is
set, it means that token contains the last part of sizeof() (should be the
')'). Otherwise, the token contains the last item in the parenthesis of
sizeof(), and the next token needs to be read.

The problem is, in this case, the token is read into the token holder
"tok" and not to token. That means the next "free_token()" will free the
token that was already freed and what was just read.

Note, the "ok" variable is a horrible name and needs to be changed, but
that's outside the scope of this update.

Fixes: 2d0573af4dfda ("libtraceevent: Be able to handle some sizeof() calls")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 src/event-parse.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch

diff --git a/src/event-parse.c b/src/event-parse.c
index e655087dad60..2584b3605136 100644
--- a/src/event-parse.c
+++ b/src/event-parse.c
@@ -3591,8 +3591,9 @@  process_sizeof(struct tep_event *event, struct tep_print_arg *arg, char **tok)
 	}
 
 	if (!ok) {
+		/* The token contains the last item before the parenthesis */
 		free_token(token);
-		type = read_token_item(event->tep, tok);
+		type = read_token_item(event->tep, &token);
 	}
 	if (test_type_token(type, token,  TEP_EVENT_DELIM, ")"))
 		goto error;