diff options
author | Frediano Ziglio <fziglio@redhat.com> | 2015-09-15 16:38:23 +0100 |
---|---|---|
committer | Frediano Ziglio <fziglio@redhat.com> | 2015-10-06 11:11:11 +0100 |
commit | 2b6695f1222f68690ea230e4e37ded7e07188f06 (patch) | |
tree | e3dde6effbaee3fed745f7c9333698a1acbcc60e | |
parent | 2693e0497e5626642250cff47a59b3b4b2cd432d (diff) | |
download | spice-2b6695f1222f68690ea230e4e37ded7e07188f06.tar.gz spice-2b6695f1222f68690ea230e4e37ded7e07188f06.tar.xz spice-2b6695f1222f68690ea230e4e37ded7e07188f06.zip |
Avoid race condition copying segments in red_get_path
The guest can attempt to increase the number of segments while
spice-server is reading them.
Make sure we don't copy more then the allocated segments.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
-rw-r--r-- | server/red_parse_qxl.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 281faad6..c7f8650a 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, seg = (SpicePathSeg*)&red->segments[n_segments]; n_segments = 0; mem_size2 = sizeof(*red); - while (start+1 < end) { + while (start+1 < end && n_segments < red->num_segments) { red->segments[n_segments++] = seg; count = start->count; |