[Spice-commits] 2 commits - server/dcc-send.c server/display-channel.h

Thu Jan 5 09:37:24 UTC 2017

server/dcc-send.c        |    1 +
 server/display-channel.h |    2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

New commits:
commit fe6ad8ba1166294b3b486c27485db1c006cef98e
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Wed Jan 4 13:34:43 2017 +0000

    Increment correctly reference before adding the item to marshaller
    
    When the initial image was sent to the client the reference
    was not incremented leading to some user after free.
    This regression was introduced in
    3bde2e570cbfd4f29a2e94c14ff28b6e3987048d
    ("DCC: remove more init_send_data() arguments").
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
    Acked-by: Pavel Grunt <pgrunt at redhat.com>

diff --git a/server/dcc-send.c b/server/dcc-send.c
index ab5f010..510dfe0 100644
--- a/server/dcc-send.c
+++ b/server/dcc-send.c
@@ -2005,6 +2005,7 @@ static void red_marshall_image(RedChannelClient *rcc,
 
         spice_marshall_Image(src_bitmap_out, &red_image,
                              &bitmap_palette_out, &lzplt_palette_out);
+        red_pipe_item_ref(&item->base);
         spice_marshaller_add_by_ref_full(src_bitmap_out, item->data,
                                          bitmap.y * bitmap.stride,
                                          marshaller_unref_pipe_item, item);
commit 1e1ed93ea71d60d9b6ece7ec58836db1e8a5dab8
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Wed Jan 4 12:30:47 2017 +0000

    Avoid integer overflow for Drawable::refs field
    
    This fixes a regression caused by
    a43c21b6bcdda701763afb6d73e38a3c419e54c7
    ("DCC: change how fill_bits() marshalls data by reference").
    Before the mentioned patch there were a few references to Drawable
    structure so an uint8_t was enough.
    Now that every chunk of the image is accounted you can easily
    get an overflow.
    This fixes https://bugs.freedesktop.org/show_bug.cgi?id=99258.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
    Acked-by: Pavel Grunt <pgrunt at redhat.com>

diff --git a/server/display-channel.h b/server/display-channel.h
index 715ad1a..5ecc5c3 100644
--- a/server/display-channel.h
+++ b/server/display-channel.h
@@ -81,7 +81,7 @@ typedef struct DependItem {
 } DependItem;
 
 struct Drawable {
-    uint8_t refs;
+    uint32_t refs;
     RingItem surface_list_link;
     RingItem list_link;
     DrawItem tree_item;
