[Spice-commits] 2 commits - common/marshaller.c server/red_worker.c

Gerd Hoffmann kraxel at kemper.freedesktop.org
Wed Jun 23 04:50:11 PDT 2010 

 common/marshaller.c |    5 +++--
 server/red_worker.c |   10 ++--------
 2 files changed, 5 insertions(+), 10 deletions(-)

New commits:
commit 899a9df0e6892c1cb5426949359ae6815914803a
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Wed Jun 23 09:49:04 2010 +0200

    fix use-after-free in spice_marshaller_reset

diff --git a/common/marshaller.c b/common/marshaller.c
index 5844b89..ece4f48 100644
--- a/common/marshaller.c
+++ b/common/marshaller.c
@@ -157,13 +157,14 @@ static void free_items(SpiceMarshaller *m)
 
 void spice_marshaller_reset(SpiceMarshaller *m)
 {
-    SpiceMarshaller *m2;
+    SpiceMarshaller *m2, *next;
     SpiceMarshallerData *d;
 
     /* Only supported for root marshaller */
     assert(m->data->marshallers == m);
 
-    for (m2 = m; m2 != NULL; m2 = m2->next) {
+    for (m2 = m; m2 != NULL; m2 = next) {
+        next = m2->next;
         free_item_data(m2);
 
         /* Free non-root marshallers */
commit b6efc72001bf15eb1f4d0adcf1afe6f1f9659c80
Author: Gerd Hoffmann <kraxel at redhat.com>
Date:   Tue Jun 22 17:41:39 2010 +0200

    drop bogous get_virt_delta calls

diff --git a/server/red_worker.c b/server/red_worker.c
index ee37222..b9ada15 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -6605,10 +6605,7 @@ static int red_jpeg_compress_image(DisplayChannel *display_channel, RedImage *de
                                                  group_id);
                 ASSERT(chunk->prev_chunk);
             }
-            jpeg_data->data.u.lines_data.next = (SPICE_ADDRESS)prev_addr -
-                                                get_virt_delta(&worker->mem_slots,
-                                                               get_memslot_id(&worker->mem_slots, src->data),
-                                                               group_id);
+            jpeg_data->data.u.lines_data.next = (SPICE_ADDRESS)prev_addr;
             jpeg_data->usr.more_lines = jpeg_usr_more_lines_reverse;
             stride = -src->stride;
         }
@@ -6809,10 +6806,7 @@ static inline int red_quic_compress_image(DisplayChannel *display_channel, RedIm
                                                  group_id);
                 ASSERT(chunk->prev_chunk);
             }
-            quic_data->data.u.lines_data.next = (SPICE_ADDRESS)prev_addr -
-                                                get_virt_delta(&worker->mem_slots,
-                                                               get_memslot_id(&worker->mem_slots, src->data),
-                                                               group_id);
+            quic_data->data.u.lines_data.next = prev_addr;
             quic_data->usr.more_lines = quic_usr_more_lines_reverse;
             stride = -src->stride;
         }

More information about the Spice-commits mailing list