Currently caller don't call red_set_cursor with cursor in worker->cursor
but in theory is possible.
Doing so could cause the cursor to be freed and than reused as initially
the reference counter is 1 so object is freed but then attempted to
be used again.
Incrementing the reference counter before trying to free the object solve
the problem.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
server/red_worker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/red_worker.c b/server/red_worker.c
index d4abc3c..e70c008 100644
--- a/server/red_worker.c
+++ b/server/red_worker.c
@@ -4831,10 +4831,10 @@ static void red_release_cursor(RedWorker *worker, CursorItem *cursor)
static void red_set_cursor(RedWorker *worker, CursorItem *cursor)
{
+ ++cursor->refs;
if (worker->cursor) {
red_release_cursor(worker, worker->cursor);
}
- ++cursor->refs;
worker->cursor = cursor;
}
--
2.4.3
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel