>
> pixman_image_unref() does not ignore NULL pointers, it tries to
> dereference it which causes a crash. When trying to decode invalid QUIC
> data, we could end up in a situation where 'surface' would still be
> NULL when reaching the setjmp block.
>
> Signed-off-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
> ---
> common/canvas_base.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/common/canvas_base.c b/common/canvas_base.c
> index ed0de73..a9d7855 100644
> --- a/common/canvas_base.c
> +++ b/common/canvas_base.c
> @@ -380,7 +380,9 @@ static pixman_image_t *canvas_get_quic(CanvasBase
> *canvas, SpiceImage *image,
> int height;
>
> if (setjmp(quic_data->jmp_env)) {
> - pixman_image_unref(surface);
> + if (surface != NULL) {
> + pixman_image_unref(surface);
> + }
> spice_warning("%s", quic_data->message_buf);
> return NULL;
> }
Acked-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
Frediano
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel