[Spice-devel] [PATCH spice-gtk 3/5] record: do not crash after record is stopped

Marc-André Lureau marcandre.lureau at redhat.com
Wed Apr 29 08:06:46 PDT 2015 

If spice_record_send_data() after a reset, last_frame is NULL and memcpy
will crash.  Check if the recording was started if last_frame != NULL
instead.

 Program received signal SIGSEGV, Segmentation fault.
 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:204
 204                       vmovdqa %ymm0, (%rdi)
 (gdb) bt
 #0  __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:204
 #1  0x00007ffff44f57b5 in spice_record_send_data (channel=0x1228640, data=0x7fff9ad0f000, bytes=960, time=0) at channel-record.c:349
 #2  0x00007ffff45162f0 in stream_read_callback (s=0xad8c00, length=960, data=<optimized out>) at spice-pulse.c:485
 #3  0x00007ffff2ea0c76 in pstream_memblock_callback (p=<optimized out>, channel=<optimized out>, offset=0, seek=PA_SEEK_RELATIVE, chunk=0x7fffffffcf70, userdata=0x11e71c0) at pulse/context.c:411
 #4  0x00007fffe8da8b4f in do_read (p=p at entry=0x123a050, re=re at entry=0x123a1d0) at pulsecore/pstream.c:906
 #5  0x00007fffe8daae87 in do_pstream_read_write (p=0x123a050) at pulsecore/pstream.c:193
 #6  0x00007ffff30e1bea in dispatch_func (source=0x1111e50, callback=<optimized out>, userdata=<optimized out>) at pulse/glib-mainloop.c:584
 #7  0x00007fffed76b93b in g_main_dispatch (context=0x816ea0) at gmain.c:3122

Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1215343
---
 gtk/channel-record.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/gtk/channel-record.c b/gtk/channel-record.c
index 0b41349..d07d84e 100644
--- a/gtk/channel-record.c
+++ b/gtk/channel-record.c
@@ -322,13 +322,17 @@ void spice_record_send_data(SpiceRecordChannel *channel, gpointer data,
     SpiceRecordChannelPrivate *rc;
     SpiceMsgcRecordPacket p = {0, };
 
-    g_return_if_fail(channel != NULL);
+    g_return_if_fail(SPICE_IS_RECORD_CHANNEL(channel));
+    rc = channel->priv;
+    if (rc->last_frame == NULL) {
+        CHANNEL_DEBUG(channel, "recording didn't start or was reset");
+        return;
+    }
+
     g_return_if_fail(spice_channel_get_read_only(SPICE_CHANNEL(channel)) == FALSE);
 
     uint8_t *encode_buf = NULL;
 
-    rc = channel->priv;
-
     if (!rc->started) {
         spice_record_mode(channel, time, rc->mode, NULL, 0);
         spice_record_start_mark(channel, time);
-- 
2.1.0

More information about the Spice-devel mailing list