From patchwork Fri Apr  9 09:46:19 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [STABLE,01/10] json-parser: Fix segfault on malformed input
From: Kevin Wolf <kwolf@redhat.com>
X-Patchwork-Id: 49796
Message-Id: <1270806388-28138-2-git-send-email-kwolf@redhat.com>
To: aurelien@aurel32.net
Cc: kwolf@redhat.com, qemu-devel@nongnu.org
Date: Fri,  9 Apr 2010 11:46:19 +0200

If the parser fails to parse the key in parse_pair, it will access a NULL
pointer. A simple way to trigger this is sending {foo} via QMP. This patch
turns the segfault into a syntax error reply.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d758d90fe1f74a46042fca665036a23b4d5fe87d)

---
json-parser.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/json-parser.c b/json-parser.c
index 2ab6f6c..3497cd3 100644
--- a/json-parser.c
+++ b/json-parser.c
@@ -266,7 +266,7 @@ static int parse_pair(JSONParserContext *ctxt, QDict *dict, QList **tokens, va_l
 
     peek = qlist_peek(working);
     key = parse_value(ctxt, &working, ap);
-    if (qobject_type(key) != QTYPE_QSTRING) {
+    if (!key || qobject_type(key) != QTYPE_QSTRING) {
         parse_error(ctxt, peek, "key is not a string in object");
         goto out;
     }