[Spice-commits] 3 commits - server/dcc-send.c
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Thu Jul 11 08:38:25 UTC 2019
server/dcc-send.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
New commits:
commit da162ad41191c275a387ca5b2f4a4728cfd19235
Author: Uri Lublin <uril at redhat.com>
Date: Wed Jul 10 20:44:35 2019 +0300
dcc-send: fix use-after-free
'l' is being freed within the loop
Found-by: Frediano Ziglio <fziglio at redhat.com>
Signed-off-by: Uri Lublin <uril at redhat.com>
Acked-by: Frediano Ziglio <fziglio at redhat.com>
diff --git a/server/dcc-send.c b/server/dcc-send.c
index e0f3b818..4a92ce8c 100644
--- a/server/dcc-send.c
+++ b/server/dcc-send.c
@@ -711,7 +711,7 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
int resent_surface_ids[MAX_PIPE_SIZE];
SpiceRect resent_areas[MAX_PIPE_SIZE]; // not pointers since drawables may be released
int num_resent;
- GList *l;
+ GList *l, *prev;
GQueue *pipe;
resent_surface_ids[0] = first_surface_id;
@@ -721,11 +721,12 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
pipe = red_channel_client_get_pipe(RED_CHANNEL_CLIENT(dcc));
// going from the oldest to the newest
- for (l = pipe->tail; l != NULL; l = l->prev) {
+ for (l = pipe->tail; l != NULL; l = prev) {
RedPipeItem *pipe_item = l->data;
Drawable *drawable;
RedDrawablePipeItem *dpi;
+ prev = l->prev;
if (pipe_item->type != RED_PIPE_ITEM_TYPE_DRAW)
continue;
dpi = SPICE_UPCAST(RedDrawablePipeItem, pipe_item);
commit 636f9c25a60d6f796aacb9ab248beaf10cf36f58
Author: Frediano Ziglio <fziglio at redhat.com>
Date: Wed Jul 10 20:44:34 2019 +0300
dcc-send: remove unused variable 'image'
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
Acked-by: Victor Toso <victortoso at redhat.com>
diff --git a/server/dcc-send.c b/server/dcc-send.c
index 565a79f3..e0f3b818 100644
--- a/server/dcc-send.c
+++ b/server/dcc-send.c
@@ -725,7 +725,6 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
RedPipeItem *pipe_item = l->data;
Drawable *drawable;
RedDrawablePipeItem *dpi;
- RedImageItem *image;
if (pipe_item->type != RED_PIPE_ITEM_TYPE_DRAW)
continue;
@@ -745,13 +744,12 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
continue;
}
- image = dcc_add_surface_area_image(dcc, drawable->red_drawable->surface_id,
- &drawable->red_drawable->bbox, l, TRUE);
+ dcc_add_surface_area_image(dcc, drawable->red_drawable->surface_id,
+ &drawable->red_drawable->bbox, l, TRUE);
resent_surface_ids[num_resent] = drawable->red_drawable->surface_id;
resent_areas[num_resent] = drawable->red_drawable->bbox;
num_resent++;
- spice_assert(image);
red_channel_client_pipe_remove_and_release_pos(RED_CHANNEL_CLIENT(dcc), l);
}
}
commit 44325e115446461b08dc0fd7093c06258d5bd921
Author: Uri Lublin <uril at redhat.com>
Date: Wed Jul 10 20:44:33 2019 +0300
dcc-send: remove useless pipe_item assignment pipe_item
In red_pipe_replace_rendered_drawables_with_images, the
value of pipe_item is re-written on the next iteration.
Since a78a7d251042892182b158650291d19a85bbd6b1 pipe_item
is no longer used to control the loop.
Found by Covscan.
Signed-off-by: Uri Lublin <uril at redhat.com>
Acked-by: Frediano Ziglio <fziglio at redhat.com>
diff --git a/server/dcc-send.c b/server/dcc-send.c
index b14619a2..565a79f3 100644
--- a/server/dcc-send.c
+++ b/server/dcc-send.c
@@ -753,7 +753,6 @@ static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
spice_assert(image);
red_channel_client_pipe_remove_and_release_pos(RED_CHANNEL_CLIENT(dcc), l);
- pipe_item = &image->base;
}
}
More information about the Spice-commits
mailing list