[Spice-commits] src/spice-widget.c
Frediano Ziglio
fziglio at kemper.freedesktop.org
Thu Apr 19 12:06:29 UTC 2018
src/spice-widget.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
New commits:
commit e13ce2f68fa1967fcf6a7df5ade36de11ac09a44
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Thu Apr 19 11:24:20 2018 +0100
spice-widget: Fix use after free
Before d567bfe65f010556f12c7ca5e95d0e480b2e4a70
("spice-widget: fix leak of boxed type cursor-shape") the cursor was
just leaked. Now is freed however mouse_pixbuf points to cursor
data so when the cursor is freed mouse_pixbuf points to a dangling
pointer. Retain the cursor as long as mouse_pixbuf is live.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Victor Toso <victortoso at redhat.com>
diff --git a/src/spice-widget.c b/src/spice-widget.c
index 8a6b5ab..5abc119 100644
--- a/src/spice-widget.c
+++ b/src/spice-widget.c
@@ -2641,6 +2641,13 @@ static void mark(SpiceDisplay *display, gint mark)
update_ready(display);
}
+static void cursor_shape_destroy(G_GNUC_UNUSED guchar *pixels, gpointer data)
+{
+ SpiceCursorShape *cursor_shape = data;
+
+ g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, cursor_shape);
+}
+
static void cursor_set(SpiceCursorChannel *channel,
G_GNUC_UNUSED GParamSpec *pspec,
gpointer data)
@@ -2667,10 +2674,9 @@ static void cursor_set(SpiceCursorChannel *channel,
cursor_shape->width,
cursor_shape->height,
cursor_shape->width * 4,
- NULL, NULL);
+ cursor_shape_destroy, cursor_shape);
d->mouse_hotspot.x = cursor_shape->hot_spot_x;
d->mouse_hotspot.y = cursor_shape->hot_spot_y;
- g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, cursor_shape);
cursor = gdk_cursor_new_from_pixbuf(gtk_widget_get_display(GTK_WIDGET(display)),
d->mouse_pixbuf,
d->mouse_hotspot.x,
More information about the Spice-commits
mailing list