[Spice-devel] [PATCH spice-server] replay: Avoid double free of primary surface

Christophe Fergeau cfergeau at redhat.com
Wed Feb 8 15:28:43 UTC 2017 

On Wed, Feb 08, 2017 at 01:00:00PM +0000, Frediano Ziglio wrote:
> read_binary attach mem to allocated list.

read_binary() attaches 'mem' to the SpiceReplay::allocated list

> On failure all memory attached to allocated list are freed

On failure, SpiceReplay::allocated and its content are freed by
spice_replay_free().

> but also replay->primary_mem is freed causing the double free.

SpiceReplay::primary_mem is also freed, which causes a double free as
replay_handle_create_primary() added 'mem' both to
SpiceReplay::primary_mem and SpiceReplay::allocated.

This commit avoids this by ensuring SpiceReplay::primary_mem is not kept
in the SpiceReplay::allocated list.

> Note that this double free can happen only on currupted
> or wrong record images.

Acked-by: Christophe Fergeau <cfergeau at redhat.com>

> 
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
>  server/red-replay-qxl.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/server/red-replay-qxl.c b/server/red-replay-qxl.c
> index aeaa545..8c52e51 100644
> --- a/server/red-replay-qxl.c
> +++ b/server/red-replay-qxl.c
> @@ -1256,6 +1256,7 @@ static void replay_handle_create_primary(QXLWorker *worker, SpiceReplay *replay)
>      read_binary(replay, "data", &size, &mem, 0);
>      surface.group_id = 0;
>      free(replay->primary_mem);
> +    replay->allocated = g_list_remove(replay->allocated, mem);
>      replay->primary_mem = mem;
>      surface.mem = QXLPHYSICAL_FROM_PTR(mem);
>      worker->create_primary_surface(worker, 0, &surface);
> -- 
> 2.9.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20170208/cca57421/attachment-0001.sig>

More information about the Spice-devel mailing list