pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2026-01-05 04:02:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix race condition on red_get_clip_rects

Browse Source 
Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
This commit is contained in:
Frediano Ziglio 2015-09-08 10:01:51 +01:00
parent 0f58e9da56
commit 3dfd1a0828
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server/red_parse_qxl.c
View File

@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
size_t size;
int i;
int error;
uint32_t num_rects;
qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
if (error) {
@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
data = red_linearize_chunk(&chunks, size, &free_data);
red_put_data_chunks(&chunks);
spice_assert(qxl->num_rects * sizeof(QXLRect) == size);
red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect));
red->num_rects = qxl->num_rects;
num_rects = qxl->num_rects;
spice_assert(num_rects * sizeof(QXLRect) == size);
red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
red->num_rects = num_rects;
start = (QXLRect*)data;
for (i = 0; i < red->num_rects; i++) {