[PULL 10/24] ui/console: fix three double frees in png_save()

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Qiuhao Li" <Qiuhao.Li@outlook.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Stefan Hajnoczi" <stefanha@redhat.com>,
	"Eric Blake" <eblake@redhat.com>,
	"Darren Kenny" <darren.kenny@oracle.com>,
	"Bandan Das" <bsd@redhat.com>,
	"Alexander Bulekov" <alxndr@bu.edu>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Markus Armbruster" <armbru@redhat.com>,
	"Akihiko Odaki" <akihiko.odaki@gmail.com>,
	"Alexandre Ratchov" <alex@caoua.org>,
	"Laurent Vivier" <lvivier@redhat.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Thomas Huth" <thuth@redhat.com>,
	"Gerd Hoffmann" <kraxel@redhat.com>,
	"Peter Maydell" <peter.maydell@linaro.org>,
	"Volker Rümelin" <vr_qemu@t-online.de>
Subject: [PULL 10/24] ui/console: fix three double frees in png_save()
Date: Tue, 27 Sep 2022 10:18:58 +0200	[thread overview]
Message-ID: <20220927081912.180983-11-kraxel@redhat.com> (raw)
In-Reply-To: <20220927081912.180983-1-kraxel@redhat.com>

From: Volker Rümelin <vr_qemu@t-online.de>

The png_destroy_write_struct() function frees all memory used by
libpng. Don't use the glib auto cleanup mechanism to free the
memory allocated by libpng again. For the pixman image, use only the
auto cleanup mechanism and remove the qemu_pixman_image_unref()
function call to prevent another double free.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1210
Fixes: 9a0a119a38 ("Added parameter to take screenshot with screendump as PNG")
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20220919061956.30929-1-vr_qemu@t-online.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/console.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ui/console.c b/ui/console.c
index 243f2f6e64ae..49da6a91df6f 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -304,8 +304,8 @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
 {
     int width = pixman_image_get_width(image);
     int height = pixman_image_get_height(image);
-    g_autofree png_struct *png_ptr = NULL;
-    g_autofree png_info *info_ptr = NULL;
+    png_struct *png_ptr;
+    png_info *info_ptr;
     g_autoptr(pixman_image_t) linebuf =
                             qemu_pixman_linebuf_create(PIXMAN_a8r8g8b8, width);
     uint8_t *buf = (uint8_t *)pixman_image_get_data(linebuf);
@@ -346,7 +346,6 @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
         qemu_pixman_linebuf_fill(linebuf, image, width, 0, y);
         png_write_row(png_ptr, buf);
     }
-    qemu_pixman_image_unref(linebuf);
 
     png_write_end(png_ptr, NULL);
 
-- 
2.37.3

next prev parent reply	other threads:[~2022-09-27  8:36 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-27  8:18 [PULL 00/24] Kraxel 20220927 patches Gerd Hoffmann
2022-09-27  8:18 ` [PULL 01/24] ui/console: Get tab completion working again in the SDL monitor vc Gerd Hoffmann
2022-09-27  8:18 ` [PULL 02/24] ui/cocoa: Run qemu_init in the main thread Gerd Hoffmann
2022-09-27  8:18 ` [PULL 03/24] Revert "main-loop: Disable block backend global state assertion on Cocoa" Gerd Hoffmann
2022-09-27  8:18 ` [PULL 04/24] meson: Allow to enable gtk and sdl while cocoa is enabled Gerd Hoffmann
2022-09-27  8:18 ` [PULL 05/24] ui: add some vdagent related traces Gerd Hoffmann
2022-09-27  8:18 ` [PULL 06/24] ui/clipboard: fix serial priority Gerd Hoffmann
2022-09-27  8:18 ` [PULL 07/24] ui/vdagent: always reset the clipboard serial on caps Gerd Hoffmann
2022-09-27  8:18 ` [PULL 08/24] ui/clipboard: reset the serial state on reset Gerd Hoffmann
2022-09-27  8:18 ` [PULL 09/24] ui/vdagent: fix serial reset of guest agent Gerd Hoffmann
2022-09-27  8:18 ` Gerd Hoffmann [this message]
2022-09-27  8:18 ` [PULL 11/24] hw/usb/hcd-xhci: Check whether DMA accesses fail Gerd Hoffmann
2022-09-27  8:19 ` [PULL 12/24] hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero Gerd Hoffmann
2022-09-27  8:19 ` [PULL 13/24] usb/msd: move usb_msd_packet_complete() Gerd Hoffmann
2022-09-27  8:19 ` [PULL 14/24] usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert Gerd Hoffmann
2022-09-27  8:19 ` [PULL 15/24] hcd-xhci: drop operation with secondary stream arrays enabled Gerd Hoffmann
2022-09-27  8:19 ` [PULL 16/24] usbnet: Add missing usb_wakeup() call in usbnet_receive() Gerd Hoffmann
2022-09-27  8:19 ` [PULL 17/24] usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request Gerd Hoffmann
2022-09-27  8:19 ` [PULL 18/24] usbnet: Detect short packets as sent by the xHCI controller Gerd Hoffmann
2022-09-27  8:19 ` [PULL 19/24] usbnet: Report link-up via interrupt endpoint in CDC-ECM mode Gerd Hoffmann
2022-09-27  8:19 ` [PULL 20/24] audio: Add sndio backend Gerd Hoffmann
2024-09-10 14:16   ` Philippe Mathieu-Daudé
2024-09-10 14:28     ` Daniel P. Berrangé
2024-09-10 14:57       ` Alexandre Ratchov
2024-09-13  8:04         ` Markus Armbruster
2024-10-22  9:06           ` Alexandre Ratchov
2024-10-23  3:39             ` Philippe Mathieu-Daudé
2022-09-27  8:19 ` [PULL 21/24] Revert "audio: Log context for audio bug" Gerd Hoffmann
2022-09-27  8:19 ` [PULL 22/24] audio: remove abort() in audio_bug() Gerd Hoffmann
2022-09-27  8:19 ` [PULL 23/24] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) Gerd Hoffmann
2022-09-27  8:19 ` [PULL 24/24] virtio-gpu: update scanout if there is any area covered by the rect Gerd Hoffmann
2022-09-27 15:04 ` [PULL 00/24] Kraxel 20220927 patches Stefan Hajnoczi

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:243f2f6e64a dfblob:49da6a91df6 )
 OR (
bs:"[PULL 10/24] ui/console: fix three double frees in png_save()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220927081912.180983-11-kraxel@redhat.com \
    --to=kraxel@redhat.com \
    --cc=Qiuhao.Li@outlook.com \
    --cc=akihiko.odaki@gmail.com \
    --cc=alex@caoua.org \
    --cc=alxndr@bu.edu \
    --cc=armbru@redhat.com \
    --cc=bsd@redhat.com \
    --cc=darren.kenny@oracle.com \
    --cc=eblake@redhat.com \
    --cc=f4bug@amsat.org \
    --cc=lvivier@redhat.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=thuth@redhat.com \
    --cc=vr_qemu@t-online.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).