From c429574bb6aebcbbddcc9714f994afd6b0ae7186 Mon Sep 17 00:00:00 2001
From: Victor Toso <victortoso@redhat.com>
Date: Fri, 13 Nov 2015 10:44:55 +0100
Subject: char-device: set to NULL freed pointers on destroy

As SpiceCharDeviceState is only unref'ed on
spice_char_device_state_destroy the same device could be destroyed more
then once so the pointers that are freed should be set to NULL.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1281455
---
 server/char_device.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/char_device.c b/server/char_device.c
index fe383852..ae7cb982 100644
--- a/server/char_device.c
+++ b/server/char_device.c
@@ -742,11 +742,13 @@ void spice_char_device_state_destroy(SpiceCharDeviceState *char_dev)
     reds_on_char_device_state_destroy(char_dev);
     if (char_dev->write_to_dev_timer) {
         core->timer_remove(char_dev->write_to_dev_timer);
+        char_dev->write_to_dev_timer = NULL;
     }
     write_buffers_queue_free(&char_dev->write_queue);
     write_buffers_queue_free(&char_dev->write_bufs_pool);
     char_dev->cur_pool_size = 0;
     spice_char_device_write_buffer_free(char_dev->cur_write_buf);
+    char_dev->cur_write_buf = NULL;
 
     while (!ring_is_empty(&char_dev->clients)) {
         RingItem *item = ring_get_tail(&char_dev->clients);
-- 
cgit