From 7498675c1d695bb68df6cf9d06b2ed9bf0619080 Mon Sep 17 00:00:00 2001 From: Jonathon Jongsma Date: Tue, 22 Aug 2017 15:44:58 -0500 Subject: [PATCH] Avoid leaking memory on invalid cursor commands When a RedCursorCmd is passed to cursor_channel_process_cmd(), it constructs a new CursorItem which takes ownership of that command. If the cursor_cmd->type falls through to the default case of the switch statement, we will print a warning and return without freeing the CursorItem (and thus the RedCursorCmd). Acked-by: Frediano Ziglio --- server/cursor-channel.c | 1 + 1 file changed, 1 insertion(+) diff --git a/server/cursor-channel.c b/server/cursor-channel.c index a8761133..63d6886d 100644 --- a/server/cursor-channel.c +++ b/server/cursor-channel.c @@ -335,6 +335,7 @@ void cursor_channel_process_cmd(CursorChannel *cursor, RedCursorCmd *cursor_cmd) break; default: spice_warning("invalid cursor command %u", cursor_cmd->type); + cursor_item_unref(cursor_item); return; }