qobject: qobject_from_jsonv() is dangerous, hide it away

qobject_from_jsonv() takes ownership of %p arguments.  On failure, we
can't generally know whether we failed before or after %p, so
ownership becomes indeterminate.  To avoid leaks, callers passing %p
must terminate on error, e.g. by passing &error_abort.  Trap for the
unwary; document and give the function internal linkage.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20180806065344.7103-11-armbru@redhat.com>
This commit is contained in:
Markus Armbruster 2018-08-06 08:53:31 +02:00
parent eac78bd430
commit 2d36e84304
2 changed files with 12 additions and 3 deletions

View File

@ -15,8 +15,6 @@
#define QJSON_H
QObject *qobject_from_json(const char *string, Error **errp);
QObject *qobject_from_jsonv(const char *string, va_list *ap, Error **errp)
GCC_FMT_ATTR(1, 0);
QObject *qobject_from_vjsonf_nofail(const char *string, va_list ap)
GCC_FMT_ATTR(1, 0);

View File

@ -39,7 +39,18 @@ static void parse_json(JSONMessageParser *parser, GQueue *tokens)
s->result = json_parser_parse_err(tokens, s->ap, &s->err);
}
QObject *qobject_from_jsonv(const char *string, va_list *ap, Error **errp)
/*
* Parse @string as JSON value.
* If @ap is non-null, interpolate %-escapes.
* Takes ownership of %p arguments.
* On success, return the JSON value.
* On failure, store an error through @errp and return NULL.
* Ownership of %p arguments becomes indeterminate then. To avoid
* leaks, callers passing %p must terminate on error, e.g. by passing
* &error_abort.
*/
static QObject *qobject_from_jsonv(const char *string, va_list *ap,
Error **errp)
{
JSONParsingState state = {};