[Spice-devel] [PATCH spice-gtk v2 1/5] gio-pipe: fix NULL pointer dereferencing
Jakub Janků
jjanku at redhat.com
Wed Jun 19 15:37:46 UTC 2019
In pipe_output_stream_is_writable, if the peer is already gone,
peer_closed is set to TRUE and in this case, peer->read should not be accessed
as peer is NULL.
Otherwise, the following sequence of calls (simplified) would trigger a segfault:
spice_make_pipe(p1, p2);
g_output_stream_write_all_async(p1_out);
g_clear_object(p2);
g_pollable_output_stream_is_writable(p1_out);
Signed-off-by: Jakub Janků <jjanku at redhat.com>
---
src/giopipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/giopipe.c b/src/giopipe.c
index de1adae..fcec844 100644
--- a/src/giopipe.c
+++ b/src/giopipe.c
@@ -420,7 +420,7 @@ pipe_output_stream_is_writable (GPollableOutputStream *stream)
PipeOutputStream *self = PIPE_OUTPUT_STREAM(stream);
gboolean writable;
- writable = self->buffer == NULL || self->peer->read >= 0 || self->peer_closed;
+ writable = self->buffer == NULL || self->peer_closed || self->peer->read >= 0;
//g_debug("writable %p %d", self, writable);
return writable;
--
2.21.0
More information about the Spice-devel
mailing list