|
|
2be4b2 |
From eede1d8307b48016274077eea4dd9c7a296bf84a Mon Sep 17 00:00:00 2001
|
|
|
73b8f2 |
From: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Date: Tue, 8 Sep 2015 10:01:51 +0100
|
|
|
2be4b2 |
Subject: [PATCH 53/64] Fix race condition on red_get_clip_rects
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Do not read multiple time an array size that can be changed.
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
73b8f2 |
---
|
|
|
73b8f2 |
server/red_parse_qxl.c | 8 +++++---
|
|
|
73b8f2 |
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
|
73b8f2 |
|
|
|
73b8f2 |
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
|
|
|
73b8f2 |
index 3385f52..affd3a2 100644
|
|
|
73b8f2 |
--- a/server/red_parse_qxl.c
|
|
|
73b8f2 |
+++ b/server/red_parse_qxl.c
|
|
|
73b8f2 |
@@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
size_t size;
|
|
|
73b8f2 |
int i;
|
|
|
73b8f2 |
int error;
|
|
|
73b8f2 |
+ uint32_t num_rects;
|
|
|
73b8f2 |
|
|
|
73b8f2 |
qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
|
|
|
73b8f2 |
if (error) {
|
|
|
73b8f2 |
@@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
data = red_linearize_chunk(&chunks, size, &free_data);
|
|
|
73b8f2 |
red_put_data_chunks(&chunks);
|
|
|
73b8f2 |
|
|
|
73b8f2 |
- spice_assert(qxl->num_rects * sizeof(QXLRect) == size);
|
|
|
73b8f2 |
- red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect));
|
|
|
73b8f2 |
- red->num_rects = qxl->num_rects;
|
|
|
73b8f2 |
+ num_rects = qxl->num_rects;
|
|
|
73b8f2 |
+ spice_assert(num_rects * sizeof(QXLRect) == size);
|
|
|
73b8f2 |
+ red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
|
|
|
73b8f2 |
+ red->num_rects = num_rects;
|
|
|
73b8f2 |
|
|
|
73b8f2 |
start = (QXLRect*)data;
|
|
|
73b8f2 |
for (i = 0; i < red->num_rects; i++) {
|
|
|
73b8f2 |
--
|
|
|
73b8f2 |
2.4.3
|
|
|
73b8f2 |
|