[Spice-devel] [PATCH spice-server] replay: Avoid double free of primary surface

Wed Feb 8 13:00:00 UTC 2017

read_binary attach mem to allocated list.
On failure all memory attached to allocated list are freed
but also replay->primary_mem is freed causing the double free.
Note that this double free can happen only on currupted
or wrong record images.

Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
 server/red-replay-qxl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/red-replay-qxl.c b/server/red-replay-qxl.c
index aeaa545..8c52e51 100644
--- a/server/red-replay-qxl.c
+++ b/server/red-replay-qxl.c
@@ -1256,6 +1256,7 @@ static void replay_handle_create_primary(QXLWorker *worker, SpiceReplay *replay)
     read_binary(replay, "data", &size, &mem, 0);
     surface.group_id = 0;
     free(replay->primary_mem);
+    replay->allocated = g_list_remove(replay->allocated, mem);
     replay->primary_mem = mem;
     surface.mem = QXLPHYSICAL_FROM_PTR(mem);
     worker->create_primary_surface(worker, 0, &surface);
-- 
2.9.3

