[Spice-devel] [PATCH] prevent free setting same cursor in worker in red_set_cursor
Frediano Ziglio
fziglio at redhat.com
Fri Aug 21 02:26:40 PDT 2015
Currently caller don't call red_set_cursor with cursor in worker->cursor
but in theory is possible.
Doing so could cause the cursor to be freed and than reused as initially
the reference counter is 1 so object is freed but then attempted to
be used again.
Incrementing the reference counter before trying to free the object solve
the problem.
Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
server/red_worker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/red_worker.c b/server/red_worker.c
index d4abc3c..e70c008 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -4831,10 +4831,10 @@ static void red_release_cursor(RedWorker *worker, CursorItem *cursor)
static void red_set_cursor(RedWorker *worker, CursorItem *cursor)
{
+ ++cursor->refs;
if (worker->cursor) {
red_release_cursor(worker, worker->cursor);
}
- ++cursor->refs;
worker->cursor = cursor;
}
--
2.4.3
More information about the Spice-devel
mailing list