Fix race condition on red_get_clip_rects

Do not read multiple time an array size that can be changed. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com>
author: Frediano Ziglio <fziglio@redhat.com> 2015-09-08 10:01:51 +0100
committer: Frediano Ziglio <fziglio@redhat.com> 2015-10-06 11:11:10 +0100
commit: 3dfd1a08286d524a742d51952595fcfb6f0c6f1b (patch)
tree: 40e8b1ca85dcade6576a84792e5e2e6fd6896551
parent: 0f58e9da56e0cbbe4349eefcbb300b6f285e0423 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index 40c1c99..a9f3ca1 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
     size_t size;
     int i;
     int error;
+    uint32_t num_rects;
 
     qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
     if (error) {
@@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
     data = red_linearize_chunk(&chunks, size, &free_data);
     red_put_data_chunks(&chunks);
 
-    spice_assert(qxl->num_rects * sizeof(QXLRect) == size);
-    red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect));
-    red->num_rects = qxl->num_rects;
+    num_rects = qxl->num_rects;
+    spice_assert(num_rects * sizeof(QXLRect) == size);
+    red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
+    red->num_rects = num_rects;
 
     start = (QXLRect*)data;
     for (i = 0; i < red->num_rects; i++) {
author	Frediano Ziglio <fziglio@redhat.com>	2015-09-08 10:01:51 +0100
committer	Frediano Ziglio <fziglio@redhat.com>	2015-10-06 11:11:10 +0100
commit	3dfd1a08286d524a742d51952595fcfb6f0c6f1b (patch)
tree	40e8b1ca85dcade6576a84792e5e2e6fd6896551
parent	0f58e9da56e0cbbe4349eefcbb300b6f285e0423 (diff)