diff options
author | Peter Wu <peter@lekensteyn.nl> | 2015-03-07 22:53:05 +0100 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2015-03-08 21:56:42 +0000 |
commit | 6bc138c87a32f7f707e40eaf006128936792bb0b (patch) | |
tree | b72b6d0414e56db2b50e3ee8fe9cd3c5aa11d3f2 /epan/dissectors/packet-frame.c | |
parent | 758ee3dc899ecd7b0de9179fc4d4d7a88e05d27e (diff) |
Qt: fix heap use-after-free wrt. data sources
When a different packet is changed, the packet scoped memory for tvbuff
is freed before clearing data source tabs. This results in
heap-use-after free when resizeEvent is called as a result of clearing
tabs for data sources.
Avoid resize events by hiding the tabs.
Caught with ASAN:
==18816==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060004cd970 at pc 0x7fffebf46618 bp 0x7fffffffbb10 sp 0x7fffffffbb00
READ of size 4 at 0x6060004cd970 thread T0
#0 0x7fffebf46617 in tvb_captured_length epan/tvbuff.c:423
#1 0x773062 in ByteViewText::updateScrollbars() ui/qt/byte_view_text.cpp:489
#2 0x76f307 in ByteViewText::resizeEvent(QResizeEvent*) ui/qt/byte_view_text.cpp:197
...
#24 0x9f2348 in ByteViewText::~ByteViewText() ui/qt/byte_view_text.h:46
#25 0x9f23f5 in ByteViewText::~ByteViewText() ui/qt/byte_view_text.h:46
#26 0x76b9d6 in ByteViewTab::clear() ui/qt/byte_view_tab.cpp:54
#27 0x5de685 in PacketList::selectionChanged(QItemSelection const&, QItemSelection const&) ui/qt/packet_list.cpp:477
...
freed by thread T0 here:
...
#5 0x53d763 in cf_select_packet file.c:3827
#6 0x5ddfa5 in PacketList::selectionChanged(QItemSelection const&, QItemSelection const&) ui/qt/packet_list.cpp:454
#7 0x7fffe58ec980 (/usr/lib/libQt5Widgets.so.5+0x3bc980)
#8 0x7fffe4d55dd6 in QItemSelectionModel::selectionChanged(QItemSelection const&, QItemSelection const&) (/usr/lib/libQt5Core.so.5+0x23fdd6)
...
Change-Id: I9c1c01398713389de58259d13ebbaddd2d6e5c52
Reviewed-on: https://code.wireshark.org/review/7589
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'epan/dissectors/packet-frame.c')
0 files changed, 0 insertions, 0 deletions