From: Akihiko Odaki <[email protected]> qemu_opts_del(opts) dereferences opts->list, which is the old amend_opts pointer that can be dangling after executing qemu_opts_append(amend_opts, bs->drv->create_opts) and cause use-after-free.
Fix the potential use-after-free by moving the qemu_opts_del() call before the qemu_opts_append() call. Signed-off-by: Akihiko Odaki <[email protected]> Message-ID: <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> (cherry picked from commit f00bcc833790c72c08bc5eed97845fdaa7542507) Signed-off-by: Michael Tokarev <[email protected]> diff --git a/qemu-img.c b/qemu-img.c index 7a162fdc08..63961e2b76 100644 --- a/qemu-img.c +++ b/qemu-img.c @@ -4571,9 +4571,9 @@ static int img_amend(const img_cmd_t *ccmd, int argc, char **argv) amend_opts = qemu_opts_append(amend_opts, bs->drv->amend_opts); opts = qemu_opts_create(amend_opts, NULL, 0, &error_abort); if (!qemu_opts_do_parse(opts, options, NULL, &err)) { + qemu_opts_del(opts); /* Try to parse options using the create options */ amend_opts = qemu_opts_append(amend_opts, bs->drv->create_opts); - qemu_opts_del(opts); opts = qemu_opts_create(amend_opts, NULL, 0, &error_abort); if (qemu_opts_do_parse(opts, options, NULL, NULL)) { error_append_hint(&err, -- 2.47.3
