pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-27 23:49:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

dcc-send: fix use-after-free

Browse Source 
'l' is being freed within the loop

Found-by: Frediano Ziglio <fziglio@redhat.com>
Signed-off-by: Uri Lublin <uril@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
This commit is contained in:
Uri Lublin 2019-07-10 20:44:35 +03:00 committed by Frediano Ziglio
parent 636f9c25a6
commit da162ad411
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/dcc-send.c
View File

@ -711,7 +711,7 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
int resent_surface_ids[MAX_PIPE_SIZE];
SpiceRect resent_areas[MAX_PIPE_SIZE]; // not pointers since drawables may be released
int num_resent;
GList *l;
GList *l, *prev;
GQueue *pipe;
resent_surface_ids[0] = first_surface_id;
@ -721,11 +721,12 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
pipe = red_channel_client_get_pipe(RED_CHANNEL_CLIENT(dcc));
// going from the oldest to the newest
for (l = pipe->tail; l != NULL; l = l->prev) {
for (l = pipe->tail; l != NULL; l = prev) {
RedPipeItem *pipe_item = l->data;
Drawable *drawable;
RedDrawablePipeItem *dpi;
prev = l->prev;
if (pipe_item->type != RED_PIPE_ITEM_TYPE_DRAW)
continue;
dpi = SPICE_UPCAST(RedDrawablePipeItem, pipe_item);