From cb84a6c2ed4cf699da05f886e8dc951a7469373f Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 7 Feb 2017 22:44:10 +0000 Subject: [PATCH] replay: Avoid double free of primary surface read_binary() attaches 'mem' to the SpiceReplay::allocated list. On failure, SpiceReplay::allocated and its content are freed by spice_replay_free(). SpiceReplay::primary_mem is also freed, which causes a double free as replay_handle_create_primary() added 'mem' both to SpiceReplay::primary_mem and SpiceReplay::allocated. This commit avoids this by ensuring SpiceReplay::primary_mem is not kept in the SpiceReplay::allocated list. Note that this double free can happen only on currupted or wrong record images. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red-replay-qxl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/server/red-replay-qxl.c b/server/red-replay-qxl.c index aeaa5452..8c52e51c 100644 --- a/server/red-replay-qxl.c +++ b/server/red-replay-qxl.c @@ -1256,6 +1256,7 @@ static void replay_handle_create_primary(QXLWorker *worker, SpiceReplay *replay) read_binary(replay, "data", &size, &mem, 0); surface.group_id = 0; free(replay->primary_mem); + replay->allocated = g_list_remove(replay->allocated, mem); replay->primary_mem = mem; surface.mem = QXLPHYSICAL_FROM_PTR(mem); worker->create_primary_surface(worker, 0, &surface);