From: Akihiko Odaki <[email protected]> qemu_opts_del(opts) dereferences opts->list, which is the old amend_opts pointer that can be dangling after executing qemu_opts_append(amend_opts, bs->drv->create_opts) and cause use-after-free.
Fix the potential use-after-free by moving the qemu_opts_del() call before the qemu_opts_append() call. Signed-off-by: Akihiko Odaki <[email protected]> Message-ID: <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> --- qemu-img.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu-img.c b/qemu-img.c index a7791896c1..7a32d2d16c 100644 --- a/qemu-img.c +++ b/qemu-img.c @@ -4597,9 +4597,9 @@ static int img_amend(const img_cmd_t *ccmd, int argc, char **argv) amend_opts = qemu_opts_append(amend_opts, bs->drv->amend_opts); opts = qemu_opts_create(amend_opts, NULL, 0, &error_abort); if (!qemu_opts_do_parse(opts, options, NULL, &err)) { + qemu_opts_del(opts); /* Try to parse options using the create options */ amend_opts = qemu_opts_append(amend_opts, bs->drv->create_opts); - qemu_opts_del(opts); opts = qemu_opts_create(amend_opts, NULL, 0, &error_abort); if (qemu_opts_do_parse(opts, options, NULL, NULL)) { error_append_hint(&err, -- 2.51.1
