server/mjpeg_encoder: realloc encoder->row, when a wider frame is given

Fix crashes when there are sized wider frames in the stream, and we are
linked with libjpeg.

Related : rhbz#813826
Resolves: rhbz#820669

1 files changed, 8 insertions, 2 deletions

diff --git a/server/mjpeg_encoder.c b/server/mjpeg_encoder.c
index 6bb2f699..b812ba05 100644
--- a/server/mjpeg_encoder.c
+++ b/server/mjpeg_encoder.c
@@ -26,6 +26,7 @@
 
 struct MJpegEncoder {
     uint8_t *row;
+    uint32_t row_size;
     int first_frame;
     int quality;
 
@@ -196,6 +197,8 @@ int mjpeg_encoder_start_frame(MJpegEncoder *encoder, SpiceBitmapFmt format,
 {
     encoder->cinfo.in_color_space   = JCS_RGB;
     encoder->cinfo.input_components = 3;
+    encoder->pixel_converter = NULL;
+
     switch (format) {
     case SPICE_BITMAP_FMT_32BIT:
     case SPICE_BITMAP_FMT_RGBA:
@@ -224,13 +227,16 @@ int mjpeg_encoder_start_frame(MJpegEncoder *encoder, SpiceBitmapFmt format,
         return FALSE;
     }
 
-    if ((encoder->pixel_converter != NULL) && (encoder->row == NULL)) {
+    if (encoder->pixel_converter != NULL) {
         unsigned int stride = width * 3;
         /* check for integer overflow */
         if (stride < width) {
             return FALSE;
         }
-        encoder->row = spice_malloc(stride);
+        if (encoder->row_size < stride) {
+            encoder->row = spice_realloc(encoder->row, stride);
+            encoder->row_size = stride;
+        }
     }
 
     spice_jpeg_mem_dest(&encoder->cinfo, dest, dest_len);