| Message ID | 20240626033949.1017381-1-namhyung@google.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | libtraceevent: Fix a double free in process_op() | expand |
diff --git a/src/event-parse.c b/src/event-parse.c index 9f0522c..c327917 100644 --- a/src/event-parse.c +++ b/src/event-parse.c @@ -2375,8 +2375,11 @@ process_op(struct tep_event *event, struct tep_print_arg *arg, char **tok) /* it will set arg->op.right */ type = process_cond(event, arg, tok); - if (type == TEP_EVENT_ERROR) - free(token); + if (type == TEP_EVENT_ERROR) { + /* arg->op.op (= token) will be freed at out_free */ + arg->op.op = NULL; + goto out_free; + } } else if (strcmp(token, ">>") == 0 || strcmp(token, "<<") == 0 ||
When process_cond() failed, it freed the token but didn't reset the arg->op.op to NULL. So it tried to free the arg->op.op again from free_arg() from the caller and resulted in a double free. Signed-off-by: Namhyung Kim <namhyung@google.com> --- src/event-parse.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)