read_binary attach mem to allocated list.
On failure all memory attached to allocated list are freed
but also replay->primary_mem is freed causing the double free.
Note that this double free can happen only on currupted
or wrong record images.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
server/red-replay-qxl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/server/red-replay-qxl.c b/server/red-replay-qxl.c
index aeaa545..8c52e51 100644
--- a/server/red-replay-qxl.c
+++ b/server/red-replay-qxl.c
@@ -1256,6 +1256,7 @@ static void replay_handle_create_primary(QXLWorker *worker, SpiceReplay *replay)
read_binary(replay, "data", &size, &mem, 0);
surface.group_id = 0;
free(replay->primary_mem);
+ replay->allocated = g_list_remove(replay->allocated, mem);
replay->primary_mem = mem;
surface.mem = QXLPHYSICAL_FROM_PTR(mem);
worker->create_primary_surface(worker, 0, &surface);
--
2.9.3
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel