Re: [PATCH] server/red_parse_qxl: red_get_image: fix leaks on bad image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
there are 2 more occurrences of return NULL that should be replaced by goto error. 

Yonit.
On 07/22/2012 01:42 PM, Alon Levy wrote:

---
  server/red_parse_qxl.c |   20 ++++++++++++++------
  1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index deab38f..221c005 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -336,7 +336,8 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
  {
      RedDataChunk chunks;
      QXLImage *qxl;
-    SpiceImage *red;
+    SpiceImage *red = NULL;
+    SpicePalette *rp = NULL;
      size_t bitmap_size, size;
      uint8_t qxl_flags;
      int error;
@@ -368,11 +369,11 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
          if (!bitmap_fmt_is_rgb(qxl->bitmap.format)&&  !qxl->bitmap.palette) {
              spice_warning("guest error: missing palette on bitmap format=%d\n",
                            red->u.bitmap.format);
-            return NULL;
+            goto error;
          }
          if (qxl->bitmap.x == 0 || qxl->bitmap.y == 0) {
              spice_warning("guest error: zero area bitmap\n");
-            return NULL;
+            goto error;
          }
          qxl_flags = qxl->bitmap.flags;
          if (qxl_flags&  QXL_BITMAP_TOP_DOWN) {
@@ -383,7 +384,6 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
          red->u.bitmap.stride = qxl->bitmap.stride;
          if (qxl->bitmap.palette) {
              QXLPalette *qp;
-            SpicePalette *rp;
              int i, num_ents;
              qp = (QXLPalette *)get_virt(slots, qxl->bitmap.palette,
                                          sizeof(*qp), group_id,&error);
@@ -421,7 +421,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
                                         &chunks, qxl->bitmap.data);
              spice_assert(size == bitmap_size);
              if (size != bitmap_size) {
-                return NULL;
+                goto error;
              }
              red->u.bitmap.data = red_get_image_data_chunked(slots, group_id,
                                                              &chunks);
@@ -441,7 +441,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
                                         &chunks, (QXLDataChunk *)qxl->quic.data);
          spice_assert(size == red->u.quic.data_size);
          if (size != red->u.quic.data_size) {
-            return NULL;
+            goto error;
          }
          red->u.quic.data = red_get_image_data_chunked(slots, group_id,
                                                        &chunks);
@@ -451,6 +451,14 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
          spice_error("unknown type %d", red->descriptor.type);
      }
      return red;
+error:
+    if (red) {
+        free(red);
+    }
+    if (rp) {
+        free(rp);
+    }
+    return NULL;
  }

  void red_put_image(SpiceImage *red)


_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]