In the error path, 'new_apdu->a_data' is not freed.
This can be triggered by the guest continuely.
Signed-off-by: Li Qiang <liqiang6-s@xxxxxx>
---
src/card_7816.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/card_7816.c b/src/card_7816.c
index b598ef9..0082504 100644
--- a/src/card_7816.c
+++ b/src/card_7816.c
@@ -341,12 +341,12 @@ vcard_apdu_new(unsigned char *raw_apdu, int len, vcard_7816_status_t *status)
new_apdu->a_len = len;
*status = vcard_apdu_set_class(new_apdu);
if (*status != VCARD7816_STATUS_SUCCESS) {
- g_free(new_apdu);
+ vcard_apdu_delete(new_apdu);
return NULL;
}
*status = vcard_apdu_set_length(new_apdu);
if (*status != VCARD7816_STATUS_SUCCESS) {
- g_free(new_apdu);
+ vcard_apdu_delete(new_apdu);
new_apdu = NULL;
}
return new_apdu;
--
1.8.3.1
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel