[Spice-devel] [PATCH spice-gtk] display: fix crash when releasing primary surface
Christophe Fergeau
cfergeau at redhat.com
Tue Feb 25 07:15:50 PST 2014
On Tue, Feb 25, 2014 at 11:45:39AM +0100, Marc-André Lureau wrote:
> Since 1fcaaa15f8aca362f9e6afc87fb43cfbccf6ff62, display_surface is
> allocated using gslice. However MSG_DISPLAY_MODE handler didn't allocate
> using GSlice. This can eventually lead to a crash when freeing, such as:
ACK
Christophe
>
> Thread no. 1 (6 frames)
> #2 g_slice_free1 at gslice.c:1097
> #3 iter_remove_or_steal at ghash.c:787
> #4 clear_surfaces at /lib64/libspice-client-glib-2.0.so.8
> #5 spice_display_channel_finalize at
> /lib64/libspice-client-glib-2.0.so.8
> #7 spice_channel_delayed_unref at /lib64/libspice-client-glib-2.0.so.8
> #12 gtk_main at gtkmain.c:1158
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1069546
> ---
> gtk/channel-display.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/gtk/channel-display.c b/gtk/channel-display.c
> index e464abf..96fd764 100644
> --- a/gtk/channel-display.c
> +++ b/gtk/channel-display.c
> @@ -886,7 +886,7 @@ static void display_handle_mode(SpiceChannel *channel, SpiceMsgIn *in)
>
> g_warn_if_fail(c->mark == FALSE);
>
> - surface = spice_new0(display_surface, 1);
> + surface = g_slice_new0(display_surface);
> surface->format = mode->bits == 32 ?
> SPICE_SURFACE_FMT_32_xRGB : SPICE_SURFACE_FMT_16_555;
> surface->width = mode->x_res;
> --
> 1.8.5.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20140225/8ce20f14/attachment-0001.pgp>
More information about the Spice-devel
mailing list