debian/patches/CVE-2015-5260_CVE-2015-5261/0002-worker-avoid-double-free-or-double-create-of-surface.patch

   1 From 097c638b121e595d9daf79285c447088027a58e2 Mon Sep 17 00:00:00 2001
   2 From: Frediano Ziglio <fziglio@redhat.com>
   3 Date: Wed, 9 Sep 2015 12:45:06 +0100
   4 Subject: [PATCH 02/19] worker: avoid double free or double create of surfaces
   5
   6 A driver can overwrite surface state creating a surface with the same
   7 id of a previous one.
   8 Also can try to destroy surfaces that are not created.
   9 Both requests cause invalid internal states that could lead to crashes
  10 or memory corruptions.
  11
  12 Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
  13 ---
  14  server/red_worker.c | 9 ++++++++-
  15  1 file changed, 8 insertions(+), 1 deletion(-)
  16
  17 --- a/server/red_worker.c
  18 +++ b/server/red_worker.c
  19 @@ -4246,6 +4246,10 @@ static inline void red_process_surface(R
  20          int32_t stride = surface->u.surface_create.stride;
  21          int reloaded_surface = loadvm || (surface->flags & QXL_SURF_FLAG_KEEP_DATA);
  22
  23 +        if (red_surface->refs) {
  24 +            spice_warning("avoiding creating a surface twice");
  25 +            break;
  26 +        }
  27          data = surface->u.surface_create.data;
  28          if (stride < 0) {
  29              data -= (int32_t)(stride * (height - 1));
  30 @@ -4259,7 +4263,10 @@ static inline void red_process_surface(R
  31          break;
  32      }
  33      case QXL_SURFACE_CMD_DESTROY:
  34 -        spice_warn_if(!red_surface->context.canvas);
  35 +        if (!red_surface->refs) {
  36 +            spice_warning("avoiding destroying a surface twice");
  37 +            break;
  38 +        }
  39          set_surface_release_info(worker, surface_id, 0, surface->release_info, group_id);
  40          red_handle_depends_on_target_surface(worker, surface_id);
  41          /* note that red_handle_depends_on_target_surface must be called before red_current_clear.