diff options
author | Frediano Ziglio <fziglio@redhat.com> | 2015-09-08 10:01:51 +0100 |
---|---|---|
committer | Frediano Ziglio <fziglio@redhat.com> | 2015-10-06 11:11:10 +0100 |
commit | 3dfd1a08286d524a742d51952595fcfb6f0c6f1b (patch) | |
tree | 40e8b1ca85dcade6576a84792e5e2e6fd6896551 | |
parent | 0f58e9da56e0cbbe4349eefcbb300b6f285e0423 (diff) |
Fix race condition on red_get_clip_rects
Do not read multiple time an array size that can be changed.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
-rw-r--r-- | server/red_parse_qxl.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 40c1c99..a9f3ca1 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id, size_t size; int i; int error; + uint32_t num_rects; qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); if (error) { @@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id, data = red_linearize_chunk(&chunks, size, &free_data); red_put_data_chunks(&chunks); - spice_assert(qxl->num_rects * sizeof(QXLRect) == size); - red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect)); - red->num_rects = qxl->num_rects; + num_rects = qxl->num_rects; + spice_assert(num_rects * sizeof(QXLRect) == size); + red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect)); + red->num_rects = num_rects; start = (QXLRect*)data; for (i = 0; i < red->num_rects; i++) { |