aboutsummaryrefslogtreecommitdiff
path: root/chardev
diff options
context:
space:
mode:
authorDaniil Tatianin <d-tatianin@yandex-team.ru>2021-11-17 17:23:49 +0300
committerPaolo Bonzini <pbonzini@redhat.com>2021-11-19 10:24:50 +0100
commitfdc6e168181d06391711171b7c409b34f2981ced (patch)
tree12664dfcf48c0f1bb85ae17efa499d1d53c39302 /chardev
parentfbab8cc24ded54f371ab9db2c9998be23c158e62 (diff)
downloadqemu-fdc6e168181d06391711171b7c409b34f2981ced.zip
qemu-fdc6e168181d06391711171b7c409b34f2981ced.tar.gz
qemu-fdc6e168181d06391711171b7c409b34f2981ced.tar.bz2
chardev/wctable: don't free the instance in wctablet_chr_finalize
Object is supposed to be freed by invoking obj->free, and not obj->instance_finalize. This would lead to use-after-free followed by double free in object_unref/object_finalize. Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20211117142349.836279-1-d-tatianin@yandex-team.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'chardev')
-rw-r--r--chardev/wctablet.c1
1 files changed, 0 insertions, 1 deletions
diff --git a/chardev/wctablet.c b/chardev/wctablet.c
index 95e005f..e8b292c 100644
--- a/chardev/wctablet.c
+++ b/chardev/wctablet.c
@@ -320,7 +320,6 @@ static void wctablet_chr_finalize(Object *obj)
TabletChardev *tablet = WCTABLET_CHARDEV(obj);
qemu_input_handler_unregister(tablet->hs);
- g_free(tablet);
}
static void wctablet_chr_open(Chardev *chr,