[spice-server] fixup! dcc-send: remove useless pipe_item assignment pipe_item

Submitted by Frediano Ziglio on July 4, 2019, 9:33 a.m.

Details

Message ID 20190704093357.2098-1-fziglio@redhat.com
State Superseded
Headers show
Series "fixup! dcc-send: remove useless pipe_item assignment pipe_item" ( rev: 1 ) in Spice

Not browsing as part of any series.

Commit Message

Frediano Ziglio July 4, 2019, 9:33 a.m.
Remove use-after-free introduced by a78a7d251042892182b158650291d19a85bbd6b1
---
 server/dcc-send.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/server/dcc-send.c b/server/dcc-send.c
index 565a79f33..4582e3545 100644
--- a/server/dcc-send.c
+++ b/server/dcc-send.c
@@ -725,7 +725,6 @@  static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
         RedPipeItem *pipe_item = l->data;
         Drawable *drawable;
         RedDrawablePipeItem *dpi;
-        RedImageItem *image;
 
         if (pipe_item->type != RED_PIPE_ITEM_TYPE_DRAW)
             continue;
@@ -745,14 +744,16 @@  static void red_pipe_replace_rendered_drawables_with_images(DisplayChannelClient
             continue;
         }
 
-        image = dcc_add_surface_area_image(dcc, drawable->red_drawable->surface_id,
-                                           &drawable->red_drawable->bbox, l, TRUE);
+        dcc_add_surface_area_image(dcc, drawable->red_drawable->surface_id,
+                                   &drawable->red_drawable->bbox, l, TRUE);
         resent_surface_ids[num_resent] = drawable->red_drawable->surface_id;
         resent_areas[num_resent] = drawable->red_drawable->bbox;
         num_resent++;
 
-        spice_assert(image);
+        GList *image_pos = l->next;
+        spice_assert(image_pos);
         red_channel_client_pipe_remove_and_release_pos(RED_CHANNEL_CLIENT(dcc), l);
+        l = image_pos;
     }
 }