[Spice-devel,v2,2/6] image_encoders: check shared_dict before accessing it

Submitted by Uri Lublin on Dec. 6, 2016, 4:06 p.m.

Details

Message ID 20161206160631.30624-3-uril@redhat.com
State Accepted
Commit dad108edb156c889a63ee7f4d7a2844d6cf0db97
Headers show
Series "More coverity fixes" ( rev: 3 ) in Spice

Not browsing as part of any series.

Commit Message

Uri Lublin Dec. 6, 2016, 4:06 p.m.
In both image_encoders_restore_glz_dictionary() and
image_encoders_get_glz_dictionary() shared-dict may
be NULL if size is too large, and the server gets
size from the network.

Both functions end up calling glz_enc_dictionary_create()
that calls glz_dictionary_window_create() where size is
checked.

Found by coverity.

Signed-off-by: Uri Lublin <uril@redhat.com>
---
 server/image-encoders.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/server/image-encoders.c b/server/image-encoders.c
index 3a73e0c..0d57260 100644
--- a/server/image-encoders.c
+++ b/server/image-encoders.c
@@ -746,7 +746,9 @@  gboolean image_encoders_get_glz_dictionary(ImageEncoders *enc,
         shared_dict->refs++;
     } else {
         shared_dict = create_glz_dictionary(enc, client, id, window_size);
-        glz_dictionary_list = g_list_prepend(glz_dictionary_list, shared_dict);
+        if (shared_dict != NULL) {
+            glz_dictionary_list = g_list_prepend(glz_dictionary_list, shared_dict);
+        }
     }
 
     pthread_mutex_unlock(&glz_dictionary_list_lock);
@@ -782,7 +784,9 @@  gboolean image_encoders_restore_glz_dictionary(ImageEncoders *enc,
         shared_dict->refs++;
     } else {
         shared_dict = restore_glz_dictionary(enc, client, id, restore_data);
-        glz_dictionary_list = g_list_prepend(glz_dictionary_list, shared_dict);
+        if(shared_dict != NULL) {
+            glz_dictionary_list = g_list_prepend(glz_dictionary_list, shared_dict);
+        }
     }
 
     pthread_mutex_unlock(&glz_dictionary_list_lock);

Comments

> 
> In both image_encoders_restore_glz_dictionary() and
> image_encoders_get_glz_dictionary() shared-dict may
> be NULL if size is too large, and the server gets
> size from the network.
> 
> Both functions end up calling glz_enc_dictionary_create()
> that calls glz_dictionary_window_create() where size is
> checked.
> 
> Found by coverity.
> 
> Signed-off-by: Uri Lublin <uril@redhat.com>
> ---
>  server/image-encoders.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/server/image-encoders.c b/server/image-encoders.c
> index 3a73e0c..0d57260 100644
> --- a/server/image-encoders.c
> +++ b/server/image-encoders.c
> @@ -746,7 +746,9 @@ gboolean image_encoders_get_glz_dictionary(ImageEncoders
> *enc,
>          shared_dict->refs++;
>      } else {
>          shared_dict = create_glz_dictionary(enc, client, id, window_size);
> -        glz_dictionary_list = g_list_prepend(glz_dictionary_list,
> shared_dict);
> +        if (shared_dict != NULL) {
> +            glz_dictionary_list = g_list_prepend(glz_dictionary_list,
> shared_dict);
> +        }
>      }
>  
>      pthread_mutex_unlock(&glz_dictionary_list_lock);
> @@ -782,7 +784,9 @@ gboolean
> image_encoders_restore_glz_dictionary(ImageEncoders *enc,
>          shared_dict->refs++;
>      } else {
>          shared_dict = restore_glz_dictionary(enc, client, id, restore_data);
> -        glz_dictionary_list = g_list_prepend(glz_dictionary_list,
> shared_dict);
> +        if(shared_dict != NULL) {
> +            glz_dictionary_list = g_list_prepend(glz_dictionary_list,
> shared_dict);
> +        }
>      }
>  
>      pthread_mutex_unlock(&glz_dictionary_list_lock);

Does not hurt.

Acked-by: Frediano Ziglio <fziglio@redhat.com>

Frediano