[Spice-devel] [PATCH] snd channel: fix accessing freed memory
Arnon Gilboa
agilboa at redhat.com
Sun Oct 14 00:08:38 PDT 2012
ack
Yonit Halperin wrote:
> snd_channel_put freed "channel", and then channel->worker was accessed.
> It caused segmentation faults during connections and disconnections of the client.
> ---
> server/snd_worker.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/server/snd_worker.c b/server/snd_worker.c
> index a12397e..bc7be51 100644
> --- a/server/snd_worker.c
> +++ b/server/snd_worker.c
> @@ -214,9 +214,9 @@ static void snd_disconnect_channel(SndChannel *channel)
> return;
> }
> spice_debug("%p", channel);
> + worker = channel->worker;
> if (channel->stream) {
> channel->cleanup(channel);
> - worker = channel->worker;
> red_channel_client_disconnect(worker->connection->channel_client);
> core->watch_remove(channel->stream->watch);
> channel->stream->watch = NULL;
> @@ -225,7 +225,7 @@ static void snd_disconnect_channel(SndChannel *channel)
> spice_marshaller_destroy(channel->send_data.marshaller);
> }
> snd_channel_put(channel);
> - channel->worker->connection = NULL;
> + worker->connection = NULL;
> }
>
> static void snd_playback_free_frame(PlaybackChannel *playback_channel, AudioFrame *frame)
>
More information about the Spice-devel
mailing list