review.tizen.org Git - platform/upstream/dbus.git/commit

author	Simon McVittie <smcv@collabora.com>
	Tue, 4 Jul 2017 14:38:57 +0000 (15:38 +0100)
committer	sanghyeok.oh <sanghyeok.oh@samsung.com>
	Fri, 1 Feb 2019 01:21:29 +0000 (10:21 +0900)
commit	4633187bb24e9b1219e9127214ca4c0c550803eb
tree	cbef6ac670a967a496631c1dac7c5a137a5bb6ae	tree \| snapshot
parent	996d216ea6881cbf0700c7990135169e7fb16369	commit \| diff

dbus_message_iter_open_container: Don't leak signature on failure

If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().

One might reasonably worry that this change can break callers that use
this (incorrect) pattern:

    if (!dbus_message_iter_open_container (outer, ..., inner))
      {
        dbus_message_iter_abandon_container (outer, inner);
        goto fail;
      }
    /* now we know inner is open, and we must close it later */

However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.

This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.

Change-Id: I2ccd4b516c7714f64c4543dd8d2e5c99633733a5
Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568