[spice-server] reds: Fix use-after-free

Submitted by Frediano Ziglio on July 17, 2019, 10:41 a.m.

Details

Message ID 20190717104133.30186-1-fziglio@redhat.com
State Accepted
Commit 4894d58ace32730f7eb44e2cee129f9ac2b292b4
Headers show
Series "reds: Fix use-after-free" ( rev: 1 ) in Spice

Not browsing as part of any series.

Commit Message

Frediano Ziglio July 17, 2019, 10:41 a.m.
video_codecs can be freed so use it before.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
---
 server/reds.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/server/reds.c b/server/reds.c
index 817fdd423..78bbe5a0f 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -3851,6 +3851,10 @@  static int reds_set_video_codecs_from_string(RedsState *reds, const char *codecs
         codecs = c;
     }
 
+    if (installed) {
+        *installed = video_codecs->len;
+    }
+
     if (video_codecs->len == 0) {
         spice_warning("Failed to set video codecs, input string: '%s'", codecs);
         g_array_unref(video_codecs);
@@ -3860,10 +3864,6 @@  static int reds_set_video_codecs_from_string(RedsState *reds, const char *codecs
 
     g_free(codecs_copy);
 
-    if (installed) {
-        *installed = video_codecs->len;
-    }
-
     return invalid_codecs;
 }
 

Comments

On 7/17/19 1:41 PM, Frediano Ziglio wrote:
> video_codecs can be freed so use it before.
> 
> Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

Ack.

I had a similar patch, you sent your faster :)

Uri.

> ---
>   server/reds.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/server/reds.c b/server/reds.c
> index 817fdd423..78bbe5a0f 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -3851,6 +3851,10 @@ static int reds_set_video_codecs_from_string(RedsState *reds, const char *codecs
>           codecs = c;
>       }
>   
> +    if (installed) {
> +        *installed = video_codecs->len;
> +    }
> +
>       if (video_codecs->len == 0) {
>           spice_warning("Failed to set video codecs, input string: '%s'", codecs);
>           g_array_unref(video_codecs);
> @@ -3860,10 +3864,6 @@ static int reds_set_video_codecs_from_string(RedsState *reds, const char *codecs
>   
>       g_free(codecs_copy);
>   
> -    if (installed) {
> -        *installed = video_codecs->len;
> -    }
> -
>       return invalid_codecs;
>   }
>   
>