[Spice-commits] server/red-replay-qxl.c

[Frediano Ziglio]

 server/red-replay-qxl.c |    1 +
 1 file changed, 1 insertion(+)

New commits:
commit cb84a6c2ed4cf699da05f886e8dc951a7469373f
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Tue Feb 7 22:44:10 2017 +0000

    replay: Avoid double free of primary surface
    
    read_binary() attaches 'mem' to the SpiceReplay::allocated list.
    
    On failure, SpiceReplay::allocated and its content are freed by
    spice_replay_free().
    
    SpiceReplay::primary_mem is also freed, which causes a double free
    as replay_handle_create_primary() added 'mem' both to
    SpiceReplay::primary_mem and SpiceReplay::allocated.
    
    This commit avoids this by ensuring SpiceReplay::primary_mem is not
    kept in the SpiceReplay::allocated list.
    
    Note that this double free can happen only on currupted or wrong
    record images.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
    Acked-by: Christophe Fergeau <cfergeau at redhat.com>

diff --git a/server/red-replay-qxl.c b/server/red-replay-qxl.c
index aeaa545..8c52e51 100644
--- a/server/red-replay-qxl.c
+++ b/server/red-replay-qxl.c
@@ -1256,6 +1256,7 @@ static void replay_handle_create_primary(QXLWorker *worker, SpiceReplay *replay)
     read_binary(replay, "data", &size, &mem, 0);
     surface.group_id = 0;
     free(replay->primary_mem);
+    replay->allocated = g_list_remove(replay->allocated, mem);
     replay->primary_mem = mem;
     surface.mem = QXLPHYSICAL_FROM_PTR(mem);
     worker->create_primary_surface(worker, 0, &surface);