@@ -37,7 +37,7 @@ static bool qapi_clone_start_struct(Visitor *v, const char *name, void **obj,
return true;
}
- *obj = g_memdup(*obj, size);
+ *obj = g_memdup2_qemu(*obj, size);
qcv->depth++;
return true;
}
@@ -65,8 +65,8 @@ static GenericList *qapi_clone_next_list(Visitor *v, GenericList *tail,
QapiCloneVisitor *qcv = to_qcv(v);
assert(qcv->depth);
- /* Unshare the tail of the list cloned by g_memdup() */
- tail->next = g_memdup(tail->next, size);
+ /* Unshare the tail of the list cloned by g_memdup2() */
+ tail->next = g_memdup2_qemu(tail->next, size);
return tail->next;
}
@@ -83,7 +83,7 @@ static bool qapi_clone_type_int64(Visitor *v, const char *name, int64_t *obj,
QapiCloneVisitor *qcv = to_qcv(v);
assert(qcv->depth);
- /* Value was already cloned by g_memdup() */
+ /* Value was already cloned by g_memdup2() */
return true;
}
@@ -93,7 +93,7 @@ static bool qapi_clone_type_uint64(Visitor *v, const char *name,
QapiCloneVisitor *qcv = to_qcv(v);
assert(qcv->depth);
- /* Value was already cloned by g_memdup() */
+ /* Value was already cloned by g_memdup2() */
return true;
}
@@ -103,7 +103,7 @@ static bool qapi_clone_type_bool(Visitor *v, const char *name, bool *obj,
QapiCloneVisitor *qcv = to_qcv(v);
assert(qcv->depth);
- /* Value was already cloned by g_memdup() */
+ /* Value was already cloned by g_memdup2() */
return true;
}
@@ -114,7 +114,7 @@ static bool qapi_clone_type_str(Visitor *v, const char *name, char **obj,
assert(qcv->depth);
/*
- * Pointer was already cloned by g_memdup; create fresh copy.
+ * Pointer was already cloned by g_memdup2; create fresh copy.
* Note that as long as qobject-output-visitor accepts NULL instead of
* "", then we must do likewise. However, we want to obey the
* input visitor semantics of never producing NULL when the empty
@@ -130,7 +130,7 @@ static bool qapi_clone_type_number(Visitor *v, const char *name, double *obj,
QapiCloneVisitor *qcv = to_qcv(v);
assert(qcv->depth);
- /* Value was already cloned by g_memdup() */
+ /* Value was already cloned by g_memdup2() */
return true;
}
@@ -413,8 +413,10 @@ bool visit_type_enum(Visitor *v, const char *name, int *obj,
case VISITOR_OUTPUT:
return output_type_enum(v, name, obj, lookup, errp);
case VISITOR_CLONE:
- /* nothing further to do, scalar value was already copied by
- * g_memdup() during visit_start_*() */
+ /*
+ * nothing further to do, scalar value was already copied by
+ * g_memdup2() during visit_start_*()
+ */
return true;
case VISITOR_DEALLOC:
/* nothing to deallocate for a scalar */
Per https://discourse.gnome.org/t/port-your-module-from-g-memdup-to-g-memdup2-now/5538 The old API took the size of the memory to duplicate as a guint, whereas most memory functions take memory sizes as a gsize. This made it easy to accidentally pass a gsize to g_memdup(). For large values, that would lead to a silent truncation of the size from 64 to 32 bits, and result in a heap area being returned which is significantly smaller than what the caller expects. This can likely be exploited in various modules to cause a heap buffer overflow. Replace g_memdup() by the safer g_memdup2_qemu() wrapper. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> --- qapi/qapi-clone-visitor.c | 16 ++++++++-------- qapi/qapi-visit-core.c | 6 ++++-- 2 files changed, 12 insertions(+), 10 deletions(-)