mirror of
https://github.com/JakeHillion/drgn.git
synced 2024-12-23 01:33:06 +00:00
libdrgn: fix use after free when formatting compound types
compound_initializer_init_next() saves a pointer to the compound initializer stack and uses it after appending to the stack, which may have reallocated the stack.
This commit is contained in:
parent
ecef9d74ef
commit
a3248b51e3
@ -1007,6 +1007,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_,
|
||||
struct compound_initializer_iter *iter =
|
||||
container_of(iter_, struct compound_initializer_iter, iter);
|
||||
struct compound_initializer_state *top;
|
||||
uint64_t bit_offset;
|
||||
struct drgn_type_member *member;
|
||||
struct drgn_qualified_type member_type;
|
||||
|
||||
@ -1022,6 +1023,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_,
|
||||
continue;
|
||||
}
|
||||
|
||||
bit_offset = top->bit_offset;
|
||||
member = top->member++;
|
||||
err = drgn_member_type(member, &member_type);
|
||||
if (err)
|
||||
@ -1037,7 +1039,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_,
|
||||
!(iter->flags & DRGN_FORMAT_OBJECT_MEMBER_NAMES) ||
|
||||
!drgn_type_has_members(member_type.type)) {
|
||||
err = drgn_object_slice(obj_ret, iter->obj, member_type,
|
||||
top->bit_offset + member->bit_offset,
|
||||
bit_offset + member->bit_offset,
|
||||
member->bit_field_size);
|
||||
if (err)
|
||||
return err;
|
||||
@ -1062,7 +1064,7 @@ compound_initializer_iter_next(struct initializer_iter *iter_,
|
||||
return &drgn_enomem;
|
||||
new->member = drgn_type_members(member_type.type);
|
||||
new->end = new->member + drgn_type_num_members(member_type.type);
|
||||
new->bit_offset = top->bit_offset + member->bit_offset;
|
||||
new->bit_offset = bit_offset + member->bit_offset;
|
||||
}
|
||||
|
||||
*flags_ret = iter->member_flags;
|
||||
|
Loading…
Reference in New Issue
Block a user