pixman_image_unref() does not ignore NULL pointers, it tries to
dereference it which causes a crash. When trying to decode invalid QUIC
data, we could end up in a situation where 'surface' would still be
NULL when reaching the setjmp block.
Signed-off-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
---
common/canvas_base.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/common/canvas_base.c b/common/canvas_base.c
index ed0de73..a9d7855 100644
--- a/common/canvas_base.c
+++ b/common/canvas_base.c
@@ -380,7 +380,9 @@ static pixman_image_t *canvas_get_quic(CanvasBase *canvas, SpiceImage *image,
int height;
if (setjmp(quic_data->jmp_env)) {
- pixman_image_unref(surface);
+ if (surface != NULL) {
+ pixman_image_unref(surface);
+ }
spice_warning("%s", quic_data->message_buf);
return NULL;
}
--
2.13.3
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel