vnc_refresh: calling vnc_update_client might free vs

Hi all, this patch fixes another bug in vnc_refresh: calling vnc_update_client might cause vs to be free()ed, in this case we cannot access vs->next right after to examine the next item on the list. Signed-off-by: N Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>

vnc_refresh: calling vnc_update_client might free vs
Hi all, this patch fixes another bug in vnc_refresh: calling vnc_update_client might cause vs to be free()ed, in this case we cannot access vs->next right after to examine the next item on the list. Signed-off-by: N Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: N Anthony Liguori <aliguori@us.ibm.com>
6185c578 · Stefano Stabellini · Anthony Liguori · 053965c7 · 6185c578
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

vnc.c vnc.c +4 -2

未找到文件。
--- a/vnc.c
+++ b/vnc.c
@@ -2345,7 +2345,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd)
 static void vnc_refresh(void *opaque)
 {
    VncDisplay *vd = opaque;
-    VncState *vs = NULL;
+    VncState *vs = NULL, *vn = NULL;
    int has_dirty = 0, rects = 0;

    vga_hw_update();
@@ -2354,8 +2354,10 @@ static void vnc_refresh(void *opaque)

    vs = vd->clients;
    while (vs != NULL) {
+        vn = vs->next;
        rects += vnc_update_client(vs, has_dirty);
-        vs = vs->next;
+        /* vs might be free()ed here */
+        vs = vn;
    }
    /* vd->timer could be NULL now if the last client disconnected,
     * in this case don't update the timer */