replay: Fix dangling location bug in replay_configure()

replay_configure() pushes and pops a Location with automatic storage
duration.  Except it fails to pop when -icount parameter "rr" isn't
given.  cur_loc then points to unused stack space, and will most
likely get clobbered in short order.

Clobbered cur_loc can make loc_pop() and error_print_loc() crash or
report bogus locations.

Broken in commit 890ad55.

I didn't take the time to find a reproducer.

Cc: Eduardo Habkost <[email protected]>
Signed-off-by: Markus Armbruster <[email protected]>
Message-Id: <1461767349[email protected]>
Reviewed-by: Eric Blake <[email protected]>
Reviewed-by: Eduardo Habkost <[email protected]>

diff --git a/replay/replay.c b/replay/replay.c
index 7c2573a6127a49e5ca516226a7bddc8e8686d8d4..167fd2942d60307db1d8aa57679bb43a95d0f755 100644 (file)
--- a/replay/replay.c
+++ b/replay/replay.c
@@ -275,7 +275,7 @@ void replay_configure(QemuOpts *opts)
     rr = qemu_opt_get(opts, "rr");
     if (!rr) {
         /* Just enabling icount */
-        return;
+        goto out;
     } else if (!strcmp(rr, "record")) {
         mode = REPLAY_MODE_RECORD;
     } else if (!strcmp(rr, "replay")) {
@@ -293,6 +293,7 @@ void replay_configure(QemuOpts *opts)
 
     replay_enable(fname, mode);
 
+out:
     loc_pop(&loc);
 }