On Mon, 6 Jun 2022 21:59:25 -0700 Namhyung Kim <namhyung@xxxxxxxxxx> wrote: > The field pointer is allocated and added to the fields list in a > loop. But it might refer the previous one if it fails to parse before > allocating a new one. > > In that case, it would free the previous field but didn't update the > link of the list for the one before it. Moreover, it doesn't need to > free the previous one as it finished ok. Let's reset the field > pointer at the end of each iteration so that it cannot see the > previous one. > > This was found by a fuzz test with an event having only one field. > > Signed-off-by: Namhyung Kim <namhyung@xxxxxxxxxx> Applied. Thanks Namhyung! -- Steve > --- > src/event-parse.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/event-parse.c b/src/event-parse.c > index 8f4fb59..1ba2a78 100644 > --- a/src/event-parse.c > +++ b/src/event-parse.c > @@ -1902,6 +1902,7 @@ static int event_read_fields(struct tep_event *event, struct tep_format_field ** > > *fields = field; > fields = &field->next; > + field = NULL; > > } while (1); >
|