Qt: Fix use-after-free pattern

This fixes crashes due to use of deallocated memory in: - Export Packet Dissections - Merge Capture Files - Edit Packet Comment Change-Id: I3dab8c0735eb5e642d6a4580d20bc3c81cf1345b Reviewed-on: https://code.wireshark.org/review/10392 Petri-Dish: Stig Bjørlykke <stig@bjorlykke.org> Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org> Reviewed-by: Stig Bjørlykke <stig@bjorlykke.org>
2015-09-05 19:39:51 +02:00 · 2015-09-05 19:39:51 +02:00 · 91d863cc16
parent f25b8c6784
commit 91d863cc16
4 changed files with 23 additions and 12 deletions
--- a/ui/qt/export_dissection_dialog.cpp
+++ b/ui/qt/export_dissection_dialog.cpp
@ -48,9 +48,9 @@ ExportDissectionDialog::ExportDissectionDialog(QWidget *parent, capture_file *ca
    QFileDialog(parent),
    export_type_(export_type),
    cap_file_(cap_file)
-  #if !defined(Q_OS_WIN)
+#if !defined(Q_OS_WIN)
    , save_bt_(NULL)
- #endif /* Q_OS_WIN */
+#endif /* Q_OS_WIN */
 {
 #if !defined(Q_OS_WIN)
    QDialogButtonBox *button_box = findChild<QDialogButtonBox *>();
@ -86,6 +86,7 @@ ExportDissectionDialog::ExportDissectionDialog(QWidget *parent, capture_file *ca
    fd_grid->addItem(new QSpacerItem(1, 1), last_row, 0);
    fd_grid->addLayout(h_box, last_row, 1);

+    print_args_.file = NULL;
    /* Init the export range */
    packet_range_init(&print_args_.range, cap_file_);
    /* Default to displayed packets */
@ -120,6 +121,9 @@ ExportDissectionDialog::ExportDissectionDialog(QWidget *parent, capture_file *ca

 ExportDissectionDialog::~ExportDissectionDialog()
 {
+#if !defined(Q_OS_WIN)
+    g_free(print_args_.file);
+#endif
 }

 int ExportDissectionDialog::exec()
@ -137,7 +141,7 @@ int ExportDissectionDialog::exec()

        /* Fill in our print (and export) args */

-        print_args_.file                = file_name.toUtf8().data();
+        print_args_.file                = qstring_strdup(file_name);
        print_args_.format              = PR_FMT_TEXT;
        print_args_.to_file             = TRUE;
        print_args_.cmd                 = NULL;
--- a/ui/qt/import_text_dialog.cpp
+++ b/ui/qt/import_text_dialog.cpp
@ -41,6 +41,7 @@

 #include <ui_import_text_dialog.h>
 #include "wireshark_application.h"
+#include "qt_ui_utils.h"

 #include <QFileDialog>
 #include <QDebug>
@ -213,7 +214,7 @@ int ImportTextDialog::exec() {
        return result();
    }

-    import_info_.import_text_filename = g_strdup(ti_ui_->textFileLineEdit->text().toUtf8().data());
+    import_info_.import_text_filename = qstring_strdup(ti_ui_->textFileLineEdit->text());
    import_info_.import_text_file = ws_fopen(import_info_.import_text_filename, "rb");
    if (!import_info_.import_text_file) {
        open_failure_alert_box(import_info_.import_text_filename, errno, FALSE);
@ -227,7 +228,7 @@ int ImportTextDialog::exec() {
        ti_ui_->octalOffsetButton->isChecked()   ? OFFSET_OCT :
        OFFSET_NONE;
    import_info_.date_timestamp = ti_ui_->dateTimeLineEdit->text().length() > 0;
-    import_info_.date_timestamp_format = g_strdup(ti_ui_->dateTimeLineEdit->text().toUtf8().data());
+    import_info_.date_timestamp_format = qstring_strdup(ti_ui_->dateTimeLineEdit->text());

    encap_val = ti_ui_->encapComboBox->itemData(ti_ui_->encapComboBox->currentIndex());
    import_info_.dummy_header_type = HEADER_NONE;
--- a/ui/qt/main_window.cpp
+++ b/ui/qt/main_window.cpp
@ -911,21 +911,24 @@ void MainWindow::mergeCaptureFile()
        tmpname = NULL;
        if (merge_dlg.mergeType() == 0) {
            /* chronological order */
-            in_filenames[0] = capture_file_.capFile()->filename;
-            in_filenames[1] = file_name.toUtf8().data();
+            in_filenames[0] = g_strdup(capture_file_.capFile()->filename);
+            in_filenames[1] = qstring_strdup(file_name);
            merge_status = cf_merge_files(&tmpname, 2, in_filenames, file_type, FALSE);
        } else if (merge_dlg.mergeType() <= 0) {
            /* prepend file */
-            in_filenames[0] = file_name.toUtf8().data();
-            in_filenames[1] = capture_file_.capFile()->filename;
+            in_filenames[0] = qstring_strdup(file_name);
+            in_filenames[1] = g_strdup(capture_file_.capFile()->filename);
            merge_status = cf_merge_files(&tmpname, 2, in_filenames, file_type, TRUE);
        } else {
            /* append file */
-            in_filenames[0] = capture_file_.capFile()->filename;
-            in_filenames[1] = file_name.toUtf8().data();
+            in_filenames[0] = g_strdup(capture_file_.capFile()->filename);
+            in_filenames[1] = qstring_strdup(file_name);
            merge_status = cf_merge_files(&tmpname, 2, in_filenames, file_type, TRUE);
        }

+        g_free(in_filenames[0]);
+        g_free(in_filenames[1]);
+
        if (merge_status != CF_OK) {
            if (rfcode != NULL)
                dfilter_free(rfcode);
--- a/ui/qt/packet_list.cpp
+++ b/ui/qt/packet_list.cpp
@ -888,7 +888,7 @@ void PacketList::setPacketComment(QString new_comment)
 {
    int row = currentIndex().row();
    frame_data *fdata;
-    gchar *new_packet_comment = new_comment.toUtf8().data();
+    gchar *new_packet_comment;

    if (!cap_file_ || !packet_list_model_) return;

@ -899,9 +899,12 @@ void PacketList::setPacketComment(QString new_comment)
    /* Check if we are clearing the comment */
    if(new_comment.isEmpty()) {
        new_packet_comment = NULL;
+    } else {
+        new_packet_comment = qstring_strdup(new_comment);
    }

    cf_set_user_packet_comment(cap_file_, fdata, new_packet_comment);
+    g_free(new_packet_comment);

    redrawVisiblePackets();
 }