Commit f1b1db98cc for qemu.org
commit f1b1db98cc3b7212d7efffab516d38d0a913f432
Author: Bernhard Beschow <shentey@gmail.com>
Date: Tue Apr 14 13:40:33 2026 +0200
util/cutils: Fix heap corruption under Windows
Under Windows, QEMU would only sporadically start successfully. In the
G_OS_WIN32 case, get_relocated_path() first determines a cursor
to the end of the "result" string and then increases its size with
g_string_set_size(). Since g_string_set_size() may reallocate, the
cursor may become dangling. Windows may detect this and crash the QEMU
process with the following message:
HEAP: Free Heap block 000000000499B640 modified at 000000000499B684 after it was freed
Furthermore, QEMU crashes spontaneously, even long after the guest has
booted. For example, it presumably crashes due to the guest setting a
new cursor icon which may be a result of the heap corruption.
Fix this by determining the cursor on the resized string.
Fixes: cf60ccc3306c ("cutils: Introduce bundle mechanism")
Cc: qemu-stable@nongnu.org
Signed-off-by: Bernhard Beschow <shentey@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Message-id: 20260414114033.2360-1-shentey@gmail.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
diff --git a/util/cutils.c b/util/cutils.c
index 9803f11a59..76a9442085 100644
--- a/util/cutils.c
+++ b/util/cutils.c
@@ -1165,9 +1165,10 @@ char *get_relocated_path(const char *dir)
PCWSTR wdir_skipped_root;
if (PathCchSkipRoot(wdir, &wdir_skipped_root) == S_OK) {
+ char *cursor;
size = wcsrtombs(NULL, &wdir_skipped_root, 0, &(mbstate_t){0});
- char *cursor = result->str + result->len;
g_string_set_size(result, result->len + size);
+ cursor = result->str + result->len - size;
wcsrtombs(cursor, &wdir_skipped_root, size + 1, &(mbstate_t){0});
} else {
g_string_append(result, dir);