From 078a903d55f44aedd22b4fa8dd86e4b03b82c01c Mon Sep 17 00:00:00 2001

From: Frediano Ziglio <fziglio@redhat.com>

Date: Tue, 8 Sep 2015 10:01:51 +0100

Subject: [PATCH 46/57] Fix race condition on red_get_clip_rects

Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

Acked-by: Christophe Fergeau <cfergeau@redhat.com>

---

 server/red_parse_qxl.c | 8 +++++---

 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c

index 3385f52..affd3a2 100644

--- a/server/red_parse_qxl.c

+++ b/server/red_parse_qxl.c

@@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,

     size_t size;

     int i;

     int error;

+    uint32_t num_rects;

     qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);

     if (error) {

@@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,

     data = red_linearize_chunk(&chunks, size, &free_data);

     red_put_data_chunks(&chunks);

-    spice_assert(qxl->num_rects * sizeof(QXLRect) == size);

-    red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect));

-    red->num_rects = qxl->num_rects;

+    num_rects = qxl->num_rects;

+    spice_assert(num_rects * sizeof(QXLRect) == size);

+    red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));

+    red->num_rects = num_rects;

     start = (QXLRect*)data;

     for (i = 0; i < red->num_rects; i++) {

-- 

2.4.3