Blame SOURCES/0046-Fix-race-condition-on-red_get_clip_rects.patch

73b8f2
From 078a903d55f44aedd22b4fa8dd86e4b03b82c01c Mon Sep 17 00:00:00 2001
73b8f2
From: Frediano Ziglio <fziglio@redhat.com>
73b8f2
Date: Tue, 8 Sep 2015 10:01:51 +0100
73b8f2
Subject: [PATCH 46/57] Fix race condition on red_get_clip_rects
73b8f2
73b8f2
Do not read multiple time an array size that can be changed.
73b8f2
73b8f2
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
73b8f2
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
73b8f2
---
73b8f2
 server/red_parse_qxl.c | 8 +++++---
73b8f2
 1 file changed, 5 insertions(+), 3 deletions(-)
73b8f2
73b8f2
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
73b8f2
index 3385f52..affd3a2 100644
73b8f2
--- a/server/red_parse_qxl.c
73b8f2
+++ b/server/red_parse_qxl.c
73b8f2
@@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
73b8f2
     size_t size;
73b8f2
     int i;
73b8f2
     int error;
73b8f2
+    uint32_t num_rects;
73b8f2
 
73b8f2
     qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
73b8f2
     if (error) {
73b8f2
@@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
73b8f2
     data = red_linearize_chunk(&chunks, size, &free_data);
73b8f2
     red_put_data_chunks(&chunks);
73b8f2
 
73b8f2
-    spice_assert(qxl->num_rects * sizeof(QXLRect) == size);
73b8f2
-    red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect));
73b8f2
-    red->num_rects = qxl->num_rects;
73b8f2
+    num_rects = qxl->num_rects;
73b8f2
+    spice_assert(num_rects * sizeof(QXLRect) == size);
73b8f2
+    red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
73b8f2
+    red->num_rects = num_rects;
73b8f2
 
73b8f2
     start = (QXLRect*)data;
73b8f2
     for (i = 0; i < red->num_rects; i++) {
73b8f2
-- 
73b8f2
2.4.3
73b8f2