The field pointer is allocated and added to the fields list in a loop. But it might refer the previous one if it fails to parse before allocating a new one. In that case, it would free the previous field but didn't update the link of the list for the one before it. Moreover, it doesn't need to free the previous one as it finished ok. Let's reset the field pointer at the end of each iteration so that it cannot see the previous one. This was found by a fuzz test with an event having only one field. Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx> --- src/event-parse.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/event-parse.c b/src/event-parse.c index 8f4fb59..1ba2a78 100644 --- a/src/event-parse.c +++ b/src/event-parse.c @@ -1902,6 +1902,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field ** *fields = field; fields = &field->next; + field = NULL; } while (1); -- 2.36.1.255.ge46751e96f-goog
|