Changeset 39123 in vbox

Timestamp:

Oct 26, 2011 8:24:47 PM (13 years ago)

Author:

vboxsync

Message:

Main/Machine: fix use after free bug caused by non-obvious std::list behavior

File:

• trunk/src/VBox/Main/src-server/MachineImpl.cpp (modified) (3 diffs)

trunk/src/VBox/Main/src-server/MachineImpl.cpp

@@ -6758 +6758 @@
     /* attach launch data to the machine */
     Assert(mData->mSession.mPid == NIL_RTPROCESS);
-    mData->mSession.mRemoteControls.push_back (aControl);
+    mData->mSession.mRemoteControls.push_back(aControl);
     mData->mSession.mProgress = aProgress;
     mData->mSession.mPid = pid;
@@ -9812 +9812 @@
     setModified(IsModified_Storage);
     mMediaData.backup();
-
-    // we cannot use erase (it) below because backup() above will create
-    // a copy of the list and make this copy active, but the iterator
-    // still refers to the original and is not valid for the copy
     mMediaData->mAttachments.remove(pAttach);
 
@@ -11612 +11608 @@
         ComAssertMsgRet(found, ("The session is not found in the session list!"),
                          E_INVALIDARG);
-        mData->mSession.mRemoteControls.remove(*it);
+        // This MUST be erase(it), not remove(*it) as the latter triggers a
+        // very nasty use after free due to the place where the value "lives".
+        mData->mSession.mRemoteControls.erase(it);
     }