From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:47462) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VdiMm-0002EZ-HY for qemu-devel@nongnu.org; Tue, 05 Nov 2013 10:16:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VdiMe-00031o-46 for qemu-devel@nongnu.org; Tue, 05 Nov 2013 10:16:28 -0500 Received: from mail-wi0-x236.google.com ([2a00:1450:400c:c05::236]:37995) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VdiMd-00030f-Pa for qemu-devel@nongnu.org; Tue, 05 Nov 2013 10:16:19 -0500 Received: by mail-wi0-f182.google.com with SMTP id ez12so2226629wid.9 for ; Tue, 05 Nov 2013 07:16:17 -0800 (PST) From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Tue, 5 Nov 2013 16:15:54 +0100 Message-Id: <1383664554-15248-1-git-send-email-marcandre.lureau@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: [Qemu-devel] [PATCH for-1.7] vga: fix invalid read after free List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , kraxel@redhat.com After calling dpy_gfx_replace_surface(s->con, surface), the outer surface is invalid. ==5370== Invalid read of size 4 ==5370== at 0x460229: surface_bits_per_pixel (console.h:250) ==5370== by 0x466A81: get_depth_index (vga.c:1173) ==5370== by 0x467EC2: vga_draw_graphic (vga.c:1718) ==5370== by 0x4687A5: vga_update_display (vga.c:1914) ==5370== by 0x2A782E: qxl_hw_update (qxl.c:1766) ==5370== by 0x3EB83B: graphic_hw_update (console.c:254) ==5370== by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418) ==5370== by 0x2A7D01: display_refresh (qxl.c:1886) ==5370== by 0x3EEE1C: dpy_refresh (console.c:1436) ==5370== by 0x3EB543: gui_update (console.c:192) ==5370== by 0x3C43B3: timerlist_run_timers (qemu-timer.c:488) ==5370== by 0x3C4416: qemu_clock_run_timers (qemu-timer.c:499) ==5370== Address 0x22ffb1e0 is 0 bytes inside a block of size 56 free'd ==5370== at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==5370== by 0x4245FC: free_and_trace (vl.c:2771) ==5370== by 0x50899AE: g_free (gmem.c:252) ==5370== by 0x3EE8D3: qemu_free_displaysurface (console.c:1332) ==5370== by 0x3EEDB7: dpy_gfx_replace_surface (console.c:1427) ==5370== by 0x467EB6: vga_draw_graphic (vga.c:1714) ==5370== by 0x4687A5: vga_update_display (vga.c:1914) ==5370== by 0x2A782E: qxl_hw_update (qxl.c:1766) ==5370== by 0x3EB83B: graphic_hw_update (console.c:254) ==5370== by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418) ==5370== by 0x2A7D01: display_refresh (qxl.c:1886) ==5370== by 0x3EEE1C: dpy_refresh (console.c:1436) Signed-off-by: Marc-André Lureau --- hw/display/vga.c | 1 - 1 file changed, 1 deletion(-) diff --git a/hw/display/vga.c b/hw/display/vga.c index b5e2284..063319d 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1707,7 +1707,6 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) } else if (is_buffer_shared(surface) && (full_update || surface_data(surface) != s->vram_ptr + (s->start_addr * 4))) { - DisplaySurface *surface; surface = qemu_create_displaysurface_from(disp_width, height, depth, s->line_offset, s->vram_ptr + (s->start_addr * 4), byteswap); -- 1.8.3.1