Sophie

Sophie

distrib > Mageia > 5 > x86_64 > by-pkgid > 7c27404001267d5176a1f95150f7f277 > files > 9

spice-0.12.5-2.4.mga5.src.rpm

From 932e27e50032c1c7032be3616217a2ab0586fe78 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 8 Sep 2015 10:05:20 +0100
Subject: [PATCH 48/57] Fix race condition in red_get_string

Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/red_parse_qxl.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

Index: spice-0.12.5/server/red_parse_qxl.c
===================================================================
--- spice-0.12.5.orig/server/red_parse_qxl.c	2015-10-01 07:18:08.849784691 -0400
+++ spice-0.12.5/server/red_parse_qxl.c	2015-10-01 07:18:08.845784723 -0400
@@ -810,6 +810,7 @@
     size_t chunk_size, qxl_size, red_size, glyph_size;
     int glyphs, bpp = 0, i;
     int error;
+    uint16_t qxl_flags, qxl_length;
 
     qxl = (QXLString *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
     if (error) {
@@ -826,13 +827,15 @@
     red_put_data_chunks(&chunks);
 
     qxl_size = qxl->data_size;
+    qxl_flags = qxl->flags;
+    qxl_length = qxl->length;
     spice_assert(chunk_size == qxl_size);
 
-    if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A1) {
+    if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A1) {
         bpp = 1;
-    } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A4) {
+    } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A4) {
         bpp = 4;
-    } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A8) {
+    } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A8) {
         bpp = 8;
     }
     spice_assert(bpp != 0);
@@ -849,11 +852,11 @@
         start = (QXLRasterGlyph*)(&start->data[glyph_size]);
     }
     spice_assert(start <= end);
-    spice_assert(glyphs == qxl->length);
+    spice_assert(glyphs == qxl_length);
 
     red = spice_malloc(red_size);
-    red->length = qxl->length;
-    red->flags = qxl->flags;
+    red->length = qxl_length;
+    red->flags = qxl_flags;
 
     start = (QXLRasterGlyph*)data;
     end = (QXLRasterGlyph*)(data + chunk_size);