|
|
e2c81d |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
73b8f2 |
From: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Date: Tue, 8 Sep 2015 10:05:20 +0100
|
|
|
e2c81d |
Subject: [PATCH] Fix race condition in red_get_string
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Do not read multiple time an array size that can be changed.
|
|
|
73b8f2 |
|
|
|
73b8f2 |
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
|
|
73b8f2 |
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
|
|
73b8f2 |
---
|
|
|
73b8f2 |
server/red_parse_qxl.c | 15 +++++++++------
|
|
|
73b8f2 |
1 file changed, 9 insertions(+), 6 deletions(-)
|
|
|
73b8f2 |
|
|
|
73b8f2 |
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
|
|
|
73b8f2 |
index 84ea526..2d4636e 100644
|
|
|
73b8f2 |
--- a/server/red_parse_qxl.c
|
|
|
73b8f2 |
+++ b/server/red_parse_qxl.c
|
|
|
73b8f2 |
@@ -809,6 +809,7 @@ static SpiceString *red_get_string(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
size_t chunk_size, qxl_size, red_size, glyph_size;
|
|
|
73b8f2 |
int glyphs, bpp = 0, i;
|
|
|
73b8f2 |
int error;
|
|
|
73b8f2 |
+ uint16_t qxl_flags, qxl_length;
|
|
|
73b8f2 |
|
|
|
73b8f2 |
qxl = (QXLString *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
|
|
|
73b8f2 |
if (error) {
|
|
|
73b8f2 |
@@ -825,13 +826,15 @@ static SpiceString *red_get_string(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
red_put_data_chunks(&chunks);
|
|
|
73b8f2 |
|
|
|
73b8f2 |
qxl_size = qxl->data_size;
|
|
|
73b8f2 |
+ qxl_flags = qxl->flags;
|
|
|
73b8f2 |
+ qxl_length = qxl->length;
|
|
|
73b8f2 |
spice_assert(chunk_size == qxl_size);
|
|
|
73b8f2 |
|
|
|
73b8f2 |
- if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A1) {
|
|
|
73b8f2 |
+ if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A1) {
|
|
|
73b8f2 |
bpp = 1;
|
|
|
73b8f2 |
- } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A4) {
|
|
|
73b8f2 |
+ } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A4) {
|
|
|
73b8f2 |
bpp = 4;
|
|
|
73b8f2 |
- } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A8) {
|
|
|
73b8f2 |
+ } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A8) {
|
|
|
73b8f2 |
bpp = 8;
|
|
|
73b8f2 |
}
|
|
|
73b8f2 |
spice_assert(bpp != 0);
|
|
|
73b8f2 |
@@ -848,11 +851,11 @@ static SpiceString *red_get_string(RedMemSlotInfo *slots, int group_id,
|
|
|
73b8f2 |
start = (QXLRasterGlyph*)(&start->data[glyph_size]);
|
|
|
73b8f2 |
}
|
|
|
73b8f2 |
spice_assert(start <= end);
|
|
|
73b8f2 |
- spice_assert(glyphs == qxl->length);
|
|
|
73b8f2 |
+ spice_assert(glyphs == qxl_length);
|
|
|
73b8f2 |
|
|
|
73b8f2 |
red = spice_malloc(red_size);
|
|
|
73b8f2 |
- red->length = qxl->length;
|
|
|
73b8f2 |
- red->flags = qxl->flags;
|
|
|
73b8f2 |
+ red->length = qxl_length;
|
|
|
73b8f2 |
+ red->flags = qxl_flags;
|
|
|
73b8f2 |
|
|
|
73b8f2 |
start = (QXLRasterGlyph*)data;
|
|
|
73b8f2 |
end = (QXLRasterGlyph*)(data + chunk_size);
|