From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1O0Anz-0004Cz-BO
	for qemu-devel@nongnu.org; Fri, 09 Apr 2010 05:47:15 -0400
Received: from [140.186.70.92] (port=44199 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1O0Any-0004C9-0f
	for qemu-devel@nongnu.org; Fri, 09 Apr 2010 05:47:14 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69)
	(envelope-from <kwolf@redhat.com>) id 1O0Anw-0005ub-I2
	for qemu-devel@nongnu.org; Fri, 09 Apr 2010 05:47:13 -0400
Received: from mx1.redhat.com ([209.132.183.28]:11730)
	by eggs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <kwolf@redhat.com>) id 1O0Anw-0005uU-99
	for qemu-devel@nongnu.org; Fri, 09 Apr 2010 05:47:12 -0400
From: Kevin Wolf <kwolf@redhat.com>
Date: Fri,  9 Apr 2010 11:46:19 +0200
Message-Id: <1270806388-28138-2-git-send-email-kwolf@redhat.com>
In-Reply-To: <1270806388-28138-1-git-send-email-kwolf@redhat.com>
References: <1270806388-28138-1-git-send-email-kwolf@redhat.com>
Subject: [Qemu-devel] [STABLE][PATCH 01/10] json-parser: Fix segfault on
	malformed input
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: aurelien@aurel32.net
Cc: kwolf@redhat.com, qemu-devel@nongnu.org

If the parser fails to parse the key in parse_pair, it will access a NULL
pointer. A simple way to trigger this is sending {foo} via QMP. This patch
turns the segfault into a syntax error reply.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
(cherry picked from commit d758d90fe1f74a46042fca665036a23b4d5fe87d)
---
 json-parser.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/json-parser.c b/json-parser.c
index 2ab6f6c..3497cd3 100644
--- a/json-parser.c
+++ b/json-parser.c
@@ -266,7 +266,7 @@ static int parse_pair(JSONParserContext *ctxt, QDict *dict, QList **tokens, va_l
 
     peek = qlist_peek(working);
     key = parse_value(ctxt, &working, ap);
-    if (qobject_type(key) != QTYPE_QSTRING) {
+    if (!key || qobject_type(key) != QTYPE_QSTRING) {
         parse_error(ctxt, peek, "key is not a string in object");
         goto out;
     }
-- 
1.6.6.1