From: Bernhard Beschow <[email protected]>
Under Windows, QEMU would only sporadically start successfully. In the
G_OS_WIN32 case, get_relocated_path() first determines a cursor
to the end of the "result" string and then increases its size with
g_string_set_size(). Since g_string_set_size() may reallocate, the
cursor may become dangling. Windows may detect this and crash the QEMU
process with the following message:
HEAP: Free Heap block 000000000499B640 modified at 000000000499B684 after it
was freed
Furthermore, QEMU crashes spontaneously, even long after the guest has
booted. For example, it presumably crashes due to the guest setting a
new cursor icon which may be a result of the heap corruption.
Fix this by determining the cursor on the resized string.
Fixes: cf60ccc3306c ("cutils: Introduce bundle mechanism")
Cc: [email protected]
Signed-off-by: Bernhard Beschow <[email protected]>
Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
Reviewed-by: Akihiko Odaki <[email protected]>
Message-id: [email protected]
Signed-off-by: Peter Maydell <[email protected]>
(cherry picked from commit f1b1db98cc3b7212d7efffab516d38d0a913f432)
Signed-off-by: Michael Tokarev <[email protected]>
diff --git a/util/cutils.c b/util/cutils.c
index 9803f11a59..76a9442085 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -1165,9 +1165,10 @@ char *get_relocated_path(const char *dir)
PCWSTR wdir_skipped_root;
if (PathCchSkipRoot(wdir, &wdir_skipped_root) == S_OK) {
+ char *cursor;
size = wcsrtombs(NULL, &wdir_skipped_root, 0, &(mbstate_t){0});
- char *cursor = result->str + result->len;
g_string_set_size(result, result->len + size);
+ cursor = result->str + result->len - size;
wcsrtombs(cursor, &wdir_skipped_root, size + 1, &(mbstate_t){0});
} else {
g_string_append(result, dir);
--
2.47.3
