[Spice-devel] [PATCH spice-gtk v2] spice-widget: Fix use after free

Victor Toso victortoso at redhat.com
Thu Apr 19 11:33:38 UTC 2018 

Hi,

On Thu, Apr 19, 2018 at 12:27:02PM +0100, Frediano Ziglio wrote:
> Before d567bfe65f010556f12c7ca5e95d0e480b2e4a70
> ("spice-widget: fix leak of boxed type cursor-shape") the cursor was
> just leaked. Now is freed however mouse_pixbuf points to cursor
> data so when the cursor is freed mouse_pixbuf points to a dangling
> pointer. Retain the cursor as long as mouse_pixbuf is live.
> 
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
>  src/spice-widget.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> Changes since v1:
> - avoid extra field to retain the shape.
> 
> diff --git a/src/spice-widget.c b/src/spice-widget.c
> index 8a6b5ab..5abc119 100644
> --- a/src/spice-widget.c
> +++ b/src/spice-widget.c
> @@ -2641,6 +2641,13 @@ static void mark(SpiceDisplay *display, gint mark)
>      update_ready(display);
>  }
>  
> +static void cursor_shape_destroy(G_GNUC_UNUSED guchar *pixels, gpointer data)
> +{
> +    SpiceCursorShape *cursor_shape = data;
> +
> +    g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, cursor_shape);
> +}
> +
>  static void cursor_set(SpiceCursorChannel *channel,
>                         G_GNUC_UNUSED GParamSpec *pspec,
>                         gpointer data)
> @@ -2667,10 +2674,9 @@ static void cursor_set(SpiceCursorChannel *channel,
>                                                 cursor_shape->width,
>                                                 cursor_shape->height,
>                                                 cursor_shape->width * 4,
> -                                               NULL, NULL);
> +                                               cursor_shape_destroy, cursor_shape);

Ha. I went all the way in gdk to double check that they don't
copy the data, totally missed this.

Acked-by: Victor Toso <victortoso at redhat.com>

>      d->mouse_hotspot.x = cursor_shape->hot_spot_x;
>      d->mouse_hotspot.y = cursor_shape->hot_spot_y;
> -    g_boxed_free(SPICE_TYPE_CURSOR_SHAPE, cursor_shape);
>      cursor = gdk_cursor_new_from_pixbuf(gtk_widget_get_display(GTK_WIDGET(display)),
>                                          d->mouse_pixbuf,
>                                          d->mouse_hotspot.x,
> -- 
> 2.14.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20180419/5004988c/attachment.sig>

More information about the Spice-devel mailing list