[Spice-devel] [PATCH spice] Fix crash when clearing surface memory

Wed Aug 6 09:58:42 PDT 2014

The beginning of the surface data needs to be computed correctly if the
stride is negative, otherwise, it should point already to the beginning
of the surface data. This bug seems to exists since 4a208b (0.5.2)

https://bugzilla.redhat.com/show_bug.cgi?id=1029646
---
 server/red_worker.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/red_worker.c b/server/red_worker.c
index 6bdad93..904e8fe 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -9470,7 +9470,9 @@ static inline void red_create_surface(RedWorker *worker, uint32_t surface_id, ui
     surface->context.stride = stride;
     surface->context.line_0 = line_0;
     if (!data_is_valid) {
-        memset((char *)line_0 + (int32_t)(stride * (height - 1)), 0, height*abs(stride));
+        char *data = line_0;
+        data += stride < 0 ? (int32_t)(stride * (height - 1)) : 0;
+        memset(data, 0, height*abs(stride));
     }
     surface->create.info = NULL;
     surface->destroy.info = NULL;
-- 
1.9.3

