From da162ad41191c275a387ca5b2f4a4728cfd19235 Mon Sep 17 00:00:00 2001
From: Uri Lublin <uril@redhat.com>
Date: Wed, 10 Jul 2019 20:44:35 +0300
Subject: [PATCH] dcc-send: fix use-after-free

'l' is being freed within the loop

Found-by: Frediano Ziglio <fziglio@redhat.com>
Signed-off-by: Uri Lublin <uril@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
---
 server/dcc-send.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/dcc-send.c b/server/dcc-send.c
index e0f3b818..4a92ce8c 100644
--- a/server/dcc-send.c
+++ b/server/dcc-send.c
@@ -711,7 +711,7 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
     int resent_surface_ids[MAX_PIPE_SIZE];
     SpiceRect resent_areas[MAX_PIPE_SIZE]; // not pointers since drawables may be released
     int num_resent;
-    GList *l;
+    GList *l, *prev;
     GQueue *pipe;
 
     resent_surface_ids[0] = first_surface_id;
@@ -721,11 +721,12 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
     pipe = red_channel_client_get_pipe(RED_CHANNEL_CLIENT(dcc));
 
     // going from the oldest to the newest
-    for (l = pipe->tail; l != NULL; l = l->prev) {
+    for (l = pipe->tail; l != NULL; l = prev) {
         RedPipeItem *pipe_item = l->data;
         Drawable *drawable;
         RedDrawablePipeItem *dpi;
 
+        prev = l->prev;
         if (pipe_item->type != RED_PIPE_ITEM_TYPE_DRAW)
             continue;
         dpi = SPICE_UPCAST(RedDrawablePipeItem, pipe_item);