From 4d39f53ab24099bca36b3ba4ed05ff5e46f23451 Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Wed, 4 Mar 2020 21:02:48 +0100 Subject: [PATCH] input/Manager: fix three use-after-free bugs The code comment said "ref'd by lookupwithdefault", but the `fields` variable was not referenced; only `fields_val` was, and its reference was released earlier. Same for `idx` and `val` in method CreateTableStream(). Fixes a regression from commit d81bfed45da04d0e77496ea4487832d5aa1f95ba --- src/input/Manager.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/input/Manager.cc b/src/input/Manager.cc index c85bc82575..bd1036a35b 100644 --- a/src/input/Manager.cc +++ b/src/input/Manager.cc @@ -467,7 +467,6 @@ bool Manager::CreateEventStream(RecordVal* fval) for ( unsigned int i = 0; i < fieldsV.size(); i++ ) logf[i] = fieldsV[i]; - Unref(fields); // ref'd by lookupwithdefault stream->num_fields = fieldsV.size(); stream->fields = fields->Ref()->AsRecordType(); stream->event = event_registry->Lookup(event->Name()); @@ -511,7 +510,7 @@ bool Manager::CreateTableStream(RecordVal* fval) Val* val_val = fval->Lookup("val", true); if ( val_val ) { - val = val_val->AsType()->AsTypeType()->Type()->AsRecordType(); + val = val_val->AsType()->AsTypeType()->Type()->Ref()->AsRecordType(); Unref(val_val); } @@ -712,7 +711,7 @@ bool Manager::CreateTableStream(RecordVal* fval) stream->num_val_fields = valfields; stream->tab = dst->AsTableVal(); // ref'd by lookupwithdefault stream->rtype = val ? val->AsRecordType() : 0; - stream->itype = idx->AsRecordType(); + stream->itype = idx->Ref()->AsRecordType(); stream->event = event ? event_registry->Lookup(event->Name()) : 0; stream->error_event = error_event ? event_registry->Lookup(error_event->Name()) : nullptr; stream->currDict = new PDict;