[Spice-devel] [PATCH spice-gtk] spice-widget: Fix use after free

Victor Toso victortoso at redhat.com
Thu Apr 19 10:58:00 UTC 2018 

Hi,

On Thu, Apr 19, 2018 at 11:25:12AM +0100, Frediano Ziglio wrote:
> Before d567bfe65f010556f12c7ca5e95d0e480b2e4a70
> ("spice-widget: fix leak of boxed type cursor-shape") the cursor was
> just leaked. Now is freed however mouse_pixbuf points to cursor
> data so when the cursor is freed mouse_pixbuf points to a dangling
> pointer. Retain the cursor as long as mouse_pixbuf is live.

Sure

> 
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
>  src/spice-widget-priv.h |  1 +
>  src/spice-widget.c      | 10 +++++++++-
>  2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/src/spice-widget-priv.h b/src/spice-widget-priv.h
> index 1189cbb..68ab77b 100644
> --- a/src/spice-widget-priv.h
> +++ b/src/spice-widget-priv.h
> @@ -101,6 +101,7 @@ struct _SpiceDisplayPrivate {
>      bool                    mouse_have_pointer;
>      GdkCursor               *mouse_cursor;
>      GdkPixbuf               *mouse_pixbuf;
> +    SpiceCursorShape *cursor_shape;

I'd say that alignment here to keep local coding style or a extra
patch to apply coding style ..

>      GdkPoint                mouse_hotspot;
>      GdkCursor               *show_cursor;
>      int                     mouse_last_x;
> diff --git a/src/spice-widget.c b/src/spice-widget.c
> index 8a6b5ab..ef06dfc 100644
> --- a/src/spice-widget.c
> +++ b/src/spice-widget.c
> @@ -457,6 +457,10 @@ static void spice_display_finalize(GObject *obj)
>      g_clear_object(&d->show_cursor);
>      g_clear_object(&d->mouse_cursor);
>      g_clear_object(&d->mouse_pixbuf);
> +    if (d->cursor_shape != NULL) {
> +        g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, d->cursor_shape);
> +        d->cursor_shape = NULL;
> +    }
>  
>      G_OBJECT_CLASS(spice_display_parent_class)->finalize(obj);
>  }
> @@ -2661,6 +2665,11 @@ static void cursor_set(SpiceCursorChannel *channel,
>  
>      cursor_invalidate(display);
>      g_clear_object(&d->mouse_pixbuf);
> +    if (d->cursor_shape != NULL) {
> +        g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, d->cursor_shape);
> +        d->cursor_shape = NULL;
> +    }
> +    d->cursor_shape = cursor_shape;
>      d->mouse_pixbuf = gdk_pixbuf_new_from_data(cursor_shape->data,
>                                                 GDK_COLORSPACE_RGB,
>                                                 TRUE, 8,
> @@ -2670,7 +2679,6 @@ static void cursor_set(SpiceCursorChannel *channel,
>                                                 NULL, NULL);
>      d->mouse_hotspot.x = cursor_shape->hot_spot_x;
>      d->mouse_hotspot.y = cursor_shape->hot_spot_y;
> -    g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, cursor_shape);

        toso

>      cursor = gdk_cursor_new_from_pixbuf(gtk_widget_get_display(GTK_WIDGET(display)),
>                                          d->mouse_pixbuf,
>                                          d->mouse_hotspot.x,
> -- 
> 2.14.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20180419/7ce2b4ba/attachment.sig>

More information about the Spice-devel mailing list