[Spice-devel] [PATCH spice-server] Avoid leaking memory on invalid cursor commands
Frediano Ziglio
fziglio at redhat.com
Wed Aug 23 07:57:00 UTC 2017
>
> When a RedCursorCmd is passed to cursor_channel_process_cmd(), it
> constructs a new CursorItem which takes ownership of that command. If
> the cursor_cmd->type falls through to the default case of the switch
> statement, we will print a warning and return without freeing the
> CursorItem (and thus the RedCursorCmd).
Acked-by: Frediano Ziglio <fziglio at redhat.com>
> ---
> server/cursor-channel.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/server/cursor-channel.c b/server/cursor-channel.c
> index 4abcd531b..831c81e6e 100644
> --- a/server/cursor-channel.c
> +++ b/server/cursor-channel.c
> @@ -337,6 +337,7 @@ void cursor_channel_process_cmd(CursorChannel *cursor,
> RedCursorCmd *cursor_cmd)
> break;
> default:
> spice_warning("invalid cursor command %u", cursor_cmd->type);
> + cursor_item_unref(cursor_item);
> return;
> }
>
More information about the Spice-devel
mailing list