diff options
| author | Victor Toso <victortoso@redhat.com> | 2015-11-13 10:44:55 +0100 |
|---|---|---|
| committer | Victor Toso <victortoso@redhat.com> | 2015-11-13 12:01:26 +0100 |
| commit | c429574bb6aebcbbddcc9714f994afd6b0ae7186 (patch) | |
| tree | 62071c00e174899844d73c539f8d44dd740356d0 | |
| parent | 57fe8ce26857328e4ee1ade44e62af1cf5bb3cd4 (diff) | |
| download | spice-c429574bb6aebcbbddcc9714f994afd6b0ae7186.tar.gz spice-c429574bb6aebcbbddcc9714f994afd6b0ae7186.tar.xz spice-c429574bb6aebcbbddcc9714f994afd6b0ae7186.zip | |
char-device: set to NULL freed pointers on destroy
As SpiceCharDeviceState is only unref'ed on
spice_char_device_state_destroy the same device could be destroyed more
then once so the pointers that are freed should be set to NULL.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1281455
| -rw-r--r-- | server/char_device.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/server/char_device.c b/server/char_device.c index fe383852..ae7cb982 100644 --- a/server/char_device.c +++ b/server/char_device.c @@ -742,11 +742,13 @@ void spice_char_device_state_destroy(SpiceCharDeviceState *char_dev) reds_on_char_device_state_destroy(char_dev); if (char_dev->write_to_dev_timer) { core->timer_remove(char_dev->write_to_dev_timer); + char_dev->write_to_dev_timer = NULL; } write_buffers_queue_free(&char_dev->write_queue); write_buffers_queue_free(&char_dev->write_bufs_pool); char_dev->cur_pool_size = 0; spice_char_device_write_buffer_free(char_dev->cur_write_buf); + char_dev->cur_write_buf = NULL; while (!ring_is_empty(&char_dev->clients)) { RingItem *item = ring_get_tail(&char_dev->clients); |