pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-29 08:47:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

replay: Avoid double free of primary surface

Browse Source 
read_binary() attaches 'mem' to the SpiceReplay::allocated list.

On failure, SpiceReplay::allocated and its content are freed by
spice_replay_free().

SpiceReplay::primary_mem is also freed, which causes a double free
as replay_handle_create_primary() added 'mem' both to
SpiceReplay::primary_mem and SpiceReplay::allocated.

This commit avoids this by ensuring SpiceReplay::primary_mem is not
kept in the SpiceReplay::allocated list.

Note that this double free can happen only on currupted or wrong
record images.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
This commit is contained in:
Frediano Ziglio 2017-02-07 22:44:10 +00:00
parent 11629023c4
commit cb84a6c2ed
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/red-replay-qxl.c
View File

@ -1256,6 +1256,7 @@ static void replay_handle_create_primary(QXLWorker *worker, SpiceReplay *replay)
read_binary(replay, "data", &size, &mem, 0);
surface.group_id = 0;
free(replay->primary_mem);
replay->allocated = g_list_remove(replay->allocated, mem);
replay->primary_mem = mem;
surface.mem = QXLPHYSICAL_FROM_PTR(mem);
worker->create_primary_surface(worker, 0, &surface);