From b399ad0eca4484e0cd9f99ef28bcdb044f93a991 Mon Sep 17 00:00:00 2001 From: Benjamin Poirier Date: Mon, 19 Oct 2009 15:33:03 -0400 Subject: [PATCH] Fix use after free of "filter/expression" attribute As evidenced by Valgrind: Invalid read of size 4 at 0x402E248: process_traceset (batchAnalysis.c:103) by 0x80558E5: lttv_hooks_call (hook.c:272) by 0x8053596: main (main.c:219) Address 0x4cea1b8 is 88 bytes inside a block of size 256 free'd at 0x4024D47: realloc (vg_replace_malloc.c:476) [...] by 0x402E204: process_traceset (batchAnalysis.c:97) by 0x80558E5: lttv_hooks_call (hook.c:272) by 0x8053596: main (main.c:219) Signed-off-by: Benjamin Poirier --- lttv/modules/text/batchAnalysis.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lttv/modules/text/batchAnalysis.c b/lttv/modules/text/batchAnalysis.c index 00286e2c..aa303520 100644 --- a/lttv/modules/text/batchAnalysis.c +++ b/lttv/modules/text/batchAnalysis.c @@ -100,6 +100,13 @@ static gboolean process_traceset(void *hook_data, void *call_data) LTTV_POINTER, &value_filter); g_assert(retval); + /* Repeat the search for the first element, the second search might have + * moved the first element (by creating the second element) + */ + retval= lttv_iattribute_find_by_path(attributes, "filter/expression", + LTTV_POINTER, &value_expression); + g_assert(retval); + *(value_filter.v_pointer) = lttv_filter_new(); //g_debug("Filter string: %s",((GString*)*(value_expression.v_pointer))->str); -- 2.34.1