[Spice-devel] [spice-server PATCH v2 3/3] dcc-send: fix use-after-free

Thu Jul 11 08:26:40 UTC 2019

> 
> 'l' is being freed within the loop
> 
> Found-by: Frediano Ziglio <fziglio at redhat.com>
> Signed-off-by: Uri Lublin <uril at redhat.com>

Acked

> ---
>  server/dcc-send.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/server/dcc-send.c b/server/dcc-send.c
> index e0f3b8183..4a92ce8cd 100644
> --- a/server/dcc-send.c
> +++ b/server/dcc-send.c
> @@ -711,7 +711,7 @@ static void
> red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
>      int resent_surface_ids[MAX_PIPE_SIZE];
>      SpiceRect resent_areas[MAX_PIPE_SIZE]; // not pointers since drawables
>      may be released
>      int num_resent;
> -    GList *l;
> +    GList *l, *prev;
>      GQueue *pipe;
>  
>      resent_surface_ids[0] = first_surface_id;
> @@ -721,11 +721,12 @@ static void
> red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
>      pipe = red_channel_client_get_pipe(RED_CHANNEL_CLIENT(dcc));
>  
>      // going from the oldest to the newest
> -    for (l = pipe->tail; l != NULL; l = l->prev) {
> +    for (l = pipe->tail; l != NULL; l = prev) {
>          RedPipeItem *pipe_item = l->data;
>          Drawable *drawable;
>          RedDrawablePipeItem *dpi;
>  
> +        prev = l->prev;
>          if (pipe_item->type != RED_PIPE_ITEM_TYPE_DRAW)
>              continue;
>          dpi = SPICE_UPCAST(RedDrawablePipeItem, pipe_item);

Frediano