[Spice-devel] [PATCH spice-gtk] spice-widget: Fix use after free

Frediano Ziglio fziglio at redhat.com
Thu Apr 19 10:25:12 UTC 2018 

Before d567bfe65f010556f12c7ca5e95d0e480b2e4a70
("spice-widget: fix leak of boxed type cursor-shape") the cursor was
just leaked. Now is freed however mouse_pixbuf points to cursor
data so when the cursor is freed mouse_pixbuf points to a dangling
pointer. Retain the cursor as long as mouse_pixbuf is live.

Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
 src/spice-widget-priv.h |  1 +
 src/spice-widget.c      | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/spice-widget-priv.h b/src/spice-widget-priv.h
index 1189cbb..68ab77b 100644
--- a/src/spice-widget-priv.h
+++ b/src/spice-widget-priv.h
@@ -101,6 +101,7 @@ struct _SpiceDisplayPrivate {
     bool                    mouse_have_pointer;
     GdkCursor               *mouse_cursor;
     GdkPixbuf               *mouse_pixbuf;
+    SpiceCursorShape *cursor_shape;
     GdkPoint                mouse_hotspot;
     GdkCursor               *show_cursor;
     int                     mouse_last_x;
diff --git a/src/spice-widget.c b/src/spice-widget.c
index 8a6b5ab..ef06dfc 100644
--- a/src/spice-widget.c
+++ b/src/spice-widget.c
@@ -457,6 +457,10 @@ static void spice_display_finalize(GObject *obj)
     g_clear_object(&d->show_cursor);
     g_clear_object(&d->mouse_cursor);
     g_clear_object(&d->mouse_pixbuf);
+    if (d->cursor_shape != NULL) {
+        g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, d->cursor_shape);
+        d->cursor_shape = NULL;
+    }
 
     G_OBJECT_CLASS(spice_display_parent_class)->finalize(obj);
 }
@@ -2661,6 +2665,11 @@ static void cursor_set(SpiceCursorChannel *channel,
 
     cursor_invalidate(display);
     g_clear_object(&d->mouse_pixbuf);
+    if (d->cursor_shape != NULL) {
+        g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, d->cursor_shape);
+        d->cursor_shape = NULL;
+    }
+    d->cursor_shape = cursor_shape;
     d->mouse_pixbuf = gdk_pixbuf_new_from_data(cursor_shape->data,
                                                GDK_COLORSPACE_RGB,
                                                TRUE, 8,
@@ -2670,7 +2679,6 @@ static void cursor_set(SpiceCursorChannel *channel,
                                                NULL, NULL);
     d->mouse_hotspot.x = cursor_shape->hot_spot_x;
     d->mouse_hotspot.y = cursor_shape->hot_spot_y;
-    g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, cursor_shape);
     cursor = gdk_cursor_new_from_pixbuf(gtk_widget_get_display(GTK_WIDGET(display)),
                                         d->mouse_pixbuf,
                                         d->mouse_hotspot.x,
-- 
2.14.3

More information about the Spice-devel mailing list