[Spice-devel] [PATCH spice-gtk 1/5] gio-pipe: fix NULL pointer dereferencing
Frediano Ziglio
fziglio at redhat.com
Tue Jun 18 10:26:48 UTC 2019
>
> In pipe_output_stream_is_writable, if the peer is already gone,
> peer_closed is set to TRUE and in this case, peer->read should not be
> accessed
> as peer is NULL.
>
> Otherwise, the following sequence of calls (simplified) would trigger a
> segfault:
>
> spice_make_pipe(p1, p2);
> g_output_stream_write_all_async(p1_out);
> g_clear_object(p2);
> g_pollable_output_stream_is_writable(p1_out);
>
> Signed-off-by: Jakub Janků <jjanku at redhat.com>
Acked.
> ---
> src/giopipe.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/giopipe.c b/src/giopipe.c
> index de1adae..fcec844 100644
> --- a/src/giopipe.c
> +++ b/src/giopipe.c
> @@ -420,7 +420,7 @@ pipe_output_stream_is_writable (GPollableOutputStream
> *stream)
> PipeOutputStream *self = PIPE_OUTPUT_STREAM(stream);
> gboolean writable;
>
> - writable = self->buffer == NULL || self->peer->read >= 0 ||
> self->peer_closed;
> + writable = self->buffer == NULL || self->peer_closed || self->peer->read
> >= 0;
> //g_debug("writable %p %d", self, writable);
>
> return writable;
Frediano
More information about the Spice-devel
mailing list