[Spice-commits] 2 commits - server/red_worker.c

[Yonit Halperin]

 server/red_worker.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

New commits:
commit 00086b8898ad9527aba72d3b4348e8892de42eba
Author: Yonit Halperin <yhalperi at redhat.com>
Date:   Wed Jun 15 17:21:02 2011 +0300

    server: add missing calls to red_handle_drawable_surfaces_client_synced
    
    red_handle_drawable_surfaces_client_synced was called only from red_pipe_add_drawable, while it
    should also be called from red_pipe_add_drawable_after. Otherwise, the client
    might receive a command with a reference to a surface it doesn't hold and crash.

diff --git a/server/red_worker.c b/server/red_worker.c
index 672f078..bfb3cf9 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -1194,6 +1194,7 @@ static inline void red_pipe_add_drawable_to_tail(RedWorker *worker, Drawable *dr
     if (!worker->display_channel) {
         return;
     }
+    red_handle_drawable_surfaces_client_synced(worker, drawable);
     drawable->refs++;
     red_pipe_add_tail(&worker->display_channel->common.base, &drawable->pipe_item);
 }
@@ -1209,6 +1210,7 @@ static inline void red_pipe_add_drawable_after(RedWorker *worker, Drawable *draw
         red_pipe_add_drawable(worker, drawable);
         return;
     }
+    red_handle_drawable_surfaces_client_synced(worker, drawable);
     drawable->refs++;
     red_channel_pipe_add_after(&worker->display_channel->common.base, &drawable->pipe_item, &pos_after->pipe_item);
 }
commit 686b67473f30043033deeaf0f1eb644915d792cd
Author: Yonit Halperin <yhalperi at redhat.com>
Date:   Tue Jul 12 08:50:34 2011 +0300

    server: fix access to a released drawable. RHBZ #713474
    
    red_pipe_add_drawable can lead to removal of drawables from current tree
    (since it calls red_handle_drawable_surfaces_client_synced), which can
    also lead to releasing these drawables.
    Before the fix, red_current_add_equal, called red_pipe_add_drawable,
    without assuring afterwards that the drawables it refers to are still alive or
    still in the current tree.

diff --git a/server/red_worker.c b/server/red_worker.c
index 9a61e86..672f078 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -2703,22 +2703,29 @@ static inline int red_current_add_equal(RedWorker *worker, DrawItem *item, TreeI
         int add_after = !!other_drawable->stream && is_drawable_independent_from_surfaces(drawable);
         red_stream_maintenance(worker, drawable, other_drawable);
         __current_add_drawable(worker, drawable, &other->siblings_link);
+        other_drawable->refs++;
+        current_remove_drawable(worker, other_drawable);
         if (add_after) {
             red_pipe_add_drawable_after(worker, drawable, other_drawable);
         } else {
             red_pipe_add_drawable(worker, drawable);
         }
-        remove_drawable(worker, other_drawable);
+        red_pipe_remove_drawable(worker, other_drawable);
+        release_drawable(worker, other_drawable);
         return TRUE;
     }
 
     switch (item->effect) {
     case QXL_EFFECT_REVERT_ON_DUP:
         if (is_same_drawable(worker, drawable, other_drawable)) {
+            other_drawable->refs++;
+            current_remove_drawable(worker, other_drawable);
             if (!ring_item_is_linked(&other_drawable->pipe_item.link)) {
                 red_pipe_add_drawable(worker, drawable);
+            } else {
+                red_pipe_remove_drawable(worker, other_drawable);
             }
-            remove_drawable(worker, other_drawable);
+            release_drawable(worker, other_drawable);
             return TRUE;
         }
         break;