On Wed, Feb 08, 2017 at 01:00:00PM +0000, Frediano Ziglio wrote: > read_binary attach mem to allocated list. read_binary() attaches 'mem' to the SpiceReplay::allocated list > On failure all memory attached to allocated list are freed On failure, SpiceReplay::allocated and its content are freed by spice_replay_free(). > but also replay->primary_mem is freed causing the double free. SpiceReplay::primary_mem is also freed, which causes a double free as replay_handle_create_primary() added 'mem' both to SpiceReplay::primary_mem and SpiceReplay::allocated. This commit avoids this by ensuring SpiceReplay::primary_mem is not kept in the SpiceReplay::allocated list. > Note that this double free can happen only on currupted > or wrong record images. Acked-by: Christophe Fergeau <cfergeau@xxxxxxxxxx> > > Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> > --- > server/red-replay-qxl.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/server/red-replay-qxl.c b/server/red-replay-qxl.c > index aeaa545..8c52e51 100644 > --- a/server/red-replay-qxl.c > +++ b/server/red-replay-qxl.c > @@ -1256,6 +1256,7 @@ static void replay_handle_create_primary(QXLWorker *worker, SpiceReplay *replay) > read_binary(replay, "data", &size, &mem, 0); > surface.group_id = 0; > free(replay->primary_mem); > + replay->allocated = g_list_remove(replay->allocated, mem); > replay->primary_mem = mem; > surface.mem = QXLPHYSICAL_FROM_PTR(mem); > worker->create_primary_surface(worker, 0, &surface); > -- > 2.9.3 > > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > https://lists.freedesktop.org/mailman/listinfo/spice-devel
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel