From: Markus Armbruster <armbru@redhat.com>
Date: Wed, 27 Apr 2016 14:29:08 +0000 (+0200)
Subject: replay: Fix dangling location bug in replay_configure()
X-Git-Tag: v2.6.0-rc4~8^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9d3aaea0b3fbb5028e20316bdb93359487cd01f;p=thirdparty%2Fqemu.git

replay: Fix dangling location bug in replay_configure()

replay_configure() pushes and pops a Location with automatic storage
duration.  Except it fails to pop when -icount parameter "rr" isn't
given.  cur_loc then points to unused stack space, and will most
likely get clobbered in short order.

Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
report bogus locations.

Broken in commit 890ad55.

I didn't take the time to find a reproducer.

Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <1461767349-15329-3-git-send-email-armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
---

diff --git a/replay/replay.c b/replay/replay.c
index 7c2573a6127..167fd2942d6 100644
--- a/replay/replay.c
+++ b/replay/replay.c
@@ -275,7 +275,7 @@ void replay_configure(QemuOpts *opts)
     rr = qemu_opt_get(opts, "rr");
     if (!rr) {
         /* Just enabling icount */
-        return;
+        goto out;
     } else if (!strcmp(rr, "record")) {
         mode = REPLAY_MODE_RECORD;
     } else if (!strcmp(rr, "replay")) {
@@ -293,6 +293,7 @@ void replay_configure(QemuOpts *opts)
 
     replay_enable(fname, mode);
 
+out:
     loc_pop(&loc);
 }