diff options
| author | Edward Welbourne <edward.welbourne@qt.io> | 2016-11-07 10:09:06 +0100 |
|---|---|---|
| committer | Edward Welbourne <edward.welbourne@qt.io> | 2016-11-23 15:02:15 +0000 |
| commit | 0aa3de46cacacdb83efe1d5e5b2506560c93c9ff (patch) | |
| tree | 87ad1e068b9652b15e068a47a35dfd8df4c90fa4 /src | |
| parent | a4bd635b33d08a4b58fb4db8cefd1e0535fb95eb (diff) | |
Fix two leaky uses of realloc()
If it fails, we get NULL back but haven't free()d the old pointer;
saving the NULL return over the old pointer forgets it, leaking the
memory it pointed to. This is particularly severe in the JSON
parser's grow(), where reading a very large JSON document can lead to
the last successful realloc() in a doubling pattern being very large
indeed; the subsequent failure will leak this very last allocation.
Only worth checking for, however, when the subsequent code takes care
to handle failure: in most cases, if realloc() fails, we're about to
crash anyway.
Change-Id: Icd3a503f169be224f0a058c58e8b7c82a3241ae7
Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
Reviewed-by: Anton Kudryavtsev <antkudr@mail.ru>
Diffstat (limited to 'src')
| -rw-r--r-- | src/corelib/json/qjsonparser.cpp | 5 | ||||
| -rw-r--r-- | src/corelib/json/qjsonparser_p.h | 5 |
2 files changed, 6 insertions, 4 deletions
diff --git a/src/corelib/json/qjsonparser.cpp b/src/corelib/json/qjsonparser.cpp index c7b16d5ec9..a23741a85c 100644 --- a/src/corelib/json/qjsonparser.cpp +++ b/src/corelib/json/qjsonparser.cpp @@ -491,9 +491,10 @@ namespace { memcpy(newValues, data, size*sizeof(QJsonPrivate::Value)); data = newValues; } else { - data = static_cast<QJsonPrivate::Value *>(realloc(data, alloc*sizeof(QJsonPrivate::Value))); - if (!data) + void *newValues = realloc(data, alloc * sizeof(QJsonPrivate::Value)); + if (!newValues) return false; + data = static_cast<QJsonPrivate::Value *>(newValues); } return true; } diff --git a/src/corelib/json/qjsonparser_p.h b/src/corelib/json/qjsonparser_p.h index 82a7899a51..b17d75fb3a 100644 --- a/src/corelib/json/qjsonparser_p.h +++ b/src/corelib/json/qjsonparser_p.h @@ -101,11 +101,12 @@ private: inline int reserveSpace(int space) { if (current + space >= dataLength) { dataLength = 2*dataLength + space; - data = (char *)realloc(data, dataLength); - if (!data) { + char *newData = (char *)realloc(data, dataLength); + if (!newData) { lastError = QJsonParseError::DocumentTooLarge; return -1; } + data = newData; } int pos = current; current += space; |