[Spice-devel] [PATCH spice-gtk 1/5] gio-pipe: fix NULL pointer dereferencing

Frediano Ziglio fziglio at redhat.com
Tue Jun 18 10:26:48 UTC 2019


> 
> In pipe_output_stream_is_writable, if the peer is already gone,
> peer_closed is set to TRUE and in this case, peer->read should not be
> accessed
> as peer is NULL.
> 
> Otherwise, the following sequence of calls (simplified) would trigger a
> segfault:
> 
>     spice_make_pipe(p1, p2);
>     g_output_stream_write_all_async(p1_out);
>     g_clear_object(p2);
>     g_pollable_output_stream_is_writable(p1_out);
> 
> Signed-off-by: Jakub Janků <jjanku at redhat.com>

Acked.

> ---
>  src/giopipe.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/giopipe.c b/src/giopipe.c
> index de1adae..fcec844 100644
> --- a/src/giopipe.c
> +++ b/src/giopipe.c
> @@ -420,7 +420,7 @@ pipe_output_stream_is_writable (GPollableOutputStream
> *stream)
>      PipeOutputStream *self = PIPE_OUTPUT_STREAM(stream);
>      gboolean writable;
>  
> -    writable = self->buffer == NULL || self->peer->read >= 0 ||
> self->peer_closed;
> +    writable = self->buffer == NULL || self->peer_closed || self->peer->read
> >= 0;
>      //g_debug("writable %p %d", self, writable);
>  
>      return writable;

Frediano


More information about the Spice-devel mailing list