From: Petteri Aimonen Date: Sat, 6 Sep 2014 15:21:58 +0000 (+0300) Subject: Fix crash in pb_release() if called twice on same message. X-Git-Tag: 5.0.2~186^2~193 X-Git-Url: https://gerrit.automotivelinux.org/gerrit/gitweb?a=commitdiff_plain;h=13a07e35b6b5f813078bde6a1a17d05f017bf714;p=apps%2Fagl-service-can-low-level.git Fix crash in pb_release() if called twice on same message. There was a double-free bug in pb_release() because it didn't set size fields to zero after deallocation. Most commonly this happens if pb_decode() fails, internally calls pb_release() and then application code also calls pb_release(). --- diff --git a/pb_decode.c b/pb_decode.c index 5d211023..ecd46dc1 100644 --- a/pb_decode.c +++ b/pb_decode.c @@ -895,22 +895,27 @@ void pb_release(const pb_field_t fields[], void *dest_struct) pb_free(*pItem); *pItem++ = NULL; } + *(pb_size_t*)iter.pSize = 0; } else if (PB_LTYPE(type) == PB_LTYPE_SUBMESSAGE) { /* Release fields in submessages */ void *pItem = *(void**)iter.pData; - pb_size_t count = (pItem ? 1 : 0); - - if (PB_HTYPE(type) == PB_HTYPE_REPEATED) - { - count = *(pb_size_t*)iter.pSize; - } - - while (count--) + if (pItem) { - pb_release((const pb_field_t*)iter.pos->ptr, pItem); - pItem = (uint8_t*)pItem + iter.pos->data_size; + pb_size_t count = 1; + + if (PB_HTYPE(type) == PB_HTYPE_REPEATED) + { + count = *(pb_size_t*)iter.pSize; + *(pb_size_t*)iter.pSize = 0; + } + + while (count--) + { + pb_release((const pb_field_t*)iter.pos->ptr, pItem); + pItem = (uint8_t*)pItem + iter.pos->data_size; + } } }