dbus_message_iter_open_container: Don't leak signature on failure
authorSimon McVittie <smcv@collabora.com>
Tue, 4 Jul 2017 14:38:57 +0000 (15:38 +0100)
committerSimon McVittie <smcv@collabora.com>
Wed, 5 Jul 2017 12:57:31 +0000 (13:57 +0100)
commitc462a6b395cf1e46df72c4d6edd5c5e401e79863
tree25f403288a4fd7a4f962eedc6687621f349551c0
parent0907c2b9fdc5c7194bb6fef16e6f1d67d830c95d
dbus_message_iter_open_container: Don't leak signature on failure

If we run out of memory while calling _dbus_type_writer_recurse()
(which is impossible for most contained types, but can happen for
structs and dict-entries), then the memory we allocated in the call to
_dbus_message_iter_open_signature() will still be allocated, and we
have to free it in order to return to the state of the world prior to
calling open_container().

One might reasonably worry that this change can break callers that use
this (incorrect) pattern:

    if (!dbus_message_iter_open_container (outer, ..., inner))
      {
        dbus_message_iter_abandon_container (outer, inner);
        goto fail;
      }
    /* now we know inner is open, and we must close it later */

However, testing that pattern with _dbus_test_oom_handling()
demonstrates that it already dies with a DBusString assertion failure
even before this commit.

This is all concerningly fragile, and I think the next step should be
to zero out DBusMessageIter instances when they are invalidated, so
that a "double-free" is always detected.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101568
(cherry picked from commit 031aa2ceb3dfff373e7b398dfc5d020d77262512)
dbus/dbus-message.c