The guest can attempt to increase the number of segments while
spice-server is reading them.
Make sure we don't copy more then the allocated segments.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
Acked-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
---
server/red_parse_qxl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index 281faad..c7f8650 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id,
seg = (SpicePathSeg*)&red->segments[n_segments];
n_segments = 0;
mem_size2 = sizeof(*red);
- while (start+1 < end) {
+ while (start+1 < end && n_segments < red->num_segments) {
red->segments[n_segments++] = seg;
count = start->count;
--
2.4.3
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel