1 From 3dfd1a08286d524a742d51952595fcfb6f0c6f1b Mon Sep 17 00:00:00 2001
2 From: Frediano Ziglio <fziglio@redhat.com>
3 Date: Tue, 8 Sep 2015 10:01:51 +0100
4 Subject: [PATCH 08/19] Fix race condition on red_get_clip_rects
6 Do not read multiple time an array size that can be changed.
8 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
9 Acked-by: Christophe Fergeau <cfergeau@redhat.com>
11 server/red_parse_qxl.c | 8 +++++---
12 1 file changed, 5 insertions(+), 3 deletions(-)
14 diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
15 index 40c1c99..a9f3ca1 100644
16 --- a/server/red_parse_qxl.c
17 +++ b/server/red_parse_qxl.c
18 @@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
24 qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error);
26 @@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id,
27 data = red_linearize_chunk(&chunks, size, &free_data);
28 red_put_data_chunks(&chunks);
30 - spice_assert(qxl->num_rects * sizeof(QXLRect) == size);
31 - red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect));
32 - red->num_rects = qxl->num_rects;
33 + num_rects = qxl->num_rects;
34 + spice_assert(num_rects * sizeof(QXLRect) == size);
35 + red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect));
36 + red->num_rects = num_rects;
38 start = (QXLRect*)data;
39 for (i = 0; i < red->num_rects; i++) {