From: Benjamin Poirier <benjamin.poirier@polymtl.ca>
Date: Mon, 19 Oct 2009 19:33:03 +0000 (-0400)
Subject: Fix use after free of "filter/expression" attribute
X-Git-Tag: v0.12.20~11
X-Git-Url: https://git.lttng.org/?p=lttv.git;a=commitdiff_plain;h=b399ad0eca4484e0cd9f99ef28bcdb044f93a991

Fix use after free of "filter/expression" attribute

As evidenced by Valgrind:
 Invalid read of size 4
    at 0x402E248: process_traceset (batchAnalysis.c:103)
    by 0x80558E5: lttv_hooks_call (hook.c:272)
    by 0x8053596: main (main.c:219)
  Address 0x4cea1b8 is 88 bytes inside a block of size 256 free'd
    at 0x4024D47: realloc (vg_replace_malloc.c:476)
[...]
    by 0x402E204: process_traceset (batchAnalysis.c:97)
    by 0x80558E5: lttv_hooks_call (hook.c:272)
    by 0x8053596: main (main.c:219)

Signed-off-by: Benjamin Poirier <benjamin.poirier@polymtl.ca>
---

diff --git a/lttv/modules/text/batchAnalysis.c b/lttv/modules/text/batchAnalysis.c
index 00286e2c..aa303520 100644
--- a/lttv/modules/text/batchAnalysis.c
+++ b/lttv/modules/text/batchAnalysis.c
@@ -100,6 +100,13 @@ static gboolean process_traceset(void *hook_data, void *call_data)
     LTTV_POINTER, &value_filter);
   g_assert(retval);
 
+  /* Repeat the search for the first element, the second search might have
+   * moved the first element (by creating the second element)
+   */
+  retval= lttv_iattribute_find_by_path(attributes, "filter/expression",
+    LTTV_POINTER, &value_expression);
+  g_assert(retval);
+
   *(value_filter.v_pointer) = lttv_filter_new();
   //g_debug("Filter string: %s",((GString*)*(value_expression.v_pointer))->str);