[Spice-devel] [PATCH spice-server 2/2] Increment correctly reference before adding the item to marshaller
Pavel Grunt
pgrunt at redhat.com
Thu Jan 5 08:10:10 UTC 2017
Ack,
Pavel
On Wed, 2017-01-04 at 13:35 +0000, Frediano Ziglio wrote:
> When the initial image was sent to the client the reference
> was not incremented leading to some user after free.
> This regression was introduced in
> 3bde2e570cbfd4f29a2e94c14ff28b6e3987048d
> ("DCC: remove more init_send_data() arguments").
>
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
> server/dcc-send.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/server/dcc-send.c b/server/dcc-send.c
> index ab5f010..510dfe0 100644
> --- a/server/dcc-send.c
> +++ b/server/dcc-send.c
> @@ -2005,6 +2005,7 @@ static void
> red_marshall_image(RedChannelClient *rcc,
>
> spice_marshall_Image(src_bitmap_out, &red_image,
> &bitmap_palette_out,
> &lzplt_palette_out);
> + red_pipe_item_ref(&item->base);
> spice_marshaller_add_by_ref_full(src_bitmap_out, item-
> >data,
> bitmap.y * bitmap.stride,
> marshaller_unref_pipe_item
> , item);
More information about the Spice-devel
mailing list