On Mon, Nov 23, 2015 at 7:11 PM, Frediano Ziglio <fziglio@xxxxxxxxxx> wrote:
>>
>> From: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
>>
>> ---
>> server/red_worker.c | 35 ++++++++++++++++-------------------
>> 1 file changed, 16 insertions(+), 19 deletions(-)
>>
>> diff --git a/server/red_worker.c b/server/red_worker.c
>> index becd42f..a82a871 100644
>> --- a/server/red_worker.c
>> +++ b/server/red_worker.c
>> @@ -936,26 +936,23 @@ static void image_surface_init(DisplayChannel *display)
>> display->image_surfaces.ops = &image_surfaces_ops;
>> }
>>
>> -static void validate_area(DisplayChannel *display, const SpiceRect *area,
>> uint32_t surface_id)
>> +static void surface_update_dest(RedSurface *surface, const SpiceRect *area)
>> {
>> - RedSurface *surface;
>> + SpiceCanvas *canvas = surface->context.canvas;
>> + int h = area->bottom - area->top;
>> + int stride = surface->context.stride;
>> + uint8_t *line_0 = surface->context.line_0;
>>
>> - surface = &display->surfaces[surface_id];
>> - if (!surface->context.canvas_draws_on_surface) {
>> - SpiceCanvas *canvas = surface->context.canvas;
>> - int h;
>> - int stride = surface->context.stride;
>> - uint8_t *line_0 = surface->context.line_0;
>> + if (surface->context.canvas_draws_on_surface)
>> + return;
>> + if (h == 0)
>> + return;
>>
>> - if (!(h = area->bottom - area->top)) {
>> - return;
>> - }
>> + spice_return_if_fail(stride < 0);
>>
>> - spice_assert(stride < 0);
>> - uint8_t *dest = line_0 + (area->top * stride) + area->left *
>> sizeof(uint32_t);
>> - dest += (h - 1) * stride;
>> - canvas->ops->read_bits(canvas, dest, -stride, area);
>> - }
>> + uint8_t *dest = line_0 + (area->top * stride) + area->left *
>> sizeof(uint32_t);
>> + dest += (h - 1) * stride;
>> + canvas->ops->read_bits(canvas, dest, -stride, area);
>> }
>>
>> /*
>> @@ -1037,7 +1034,7 @@ void display_channel_draw_till(DisplayChannel *display,
>> const SpiceRect *area, i
>> drawable_draw(display, now);
>> display_channel_drawable_unref(display, now);
>> } while (now != surface_last);
>> - validate_area(display, area, surface_id);
>> + surface_update_dest(surface, area);
>> }
>>
>> void display_channel_draw(DisplayChannel *display, const SpiceRect *area,
>> int surface_id)
>> @@ -1074,7 +1071,7 @@ void display_channel_draw(DisplayChannel *display,
>> const SpiceRect *area, int su
>> region_destroy(&rgn);
>>
>> if (!last) {
>> - validate_area(display, area, surface_id);
>> + surface_update_dest(surface, area);
>> return;
>> }
>>
>> @@ -1090,7 +1087,7 @@ void display_channel_draw(DisplayChannel *display,
>> const SpiceRect *area, int su
>> drawable_draw(display, now);
>> display_channel_drawable_unref(display, now);
>> } while (now != last);
>> - validate_area(display, area, surface_id);
>> + surface_update_dest(surface, area);
>> }
>>
>> static int red_process_cursor(RedWorker *worker, uint32_t max_pipe_size, int
>> *ring_is_empty)
>> --
>> 2.4.3
>>
>
> This is an example on how an innocent patch can cause problems... this cause
> a use after free problem!
Btw, I split this patch ...
>
> Frediano
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel