[client] x11: prevent race condition causing double free

This commit is contained in:
Geoffrey McRae 2019-02-25 04:42:58 +11:00
parent c7666b314b
commit 8d48dd973a
2 changed files with 16 additions and 0 deletions

View file

@ -204,6 +204,7 @@ static void x11_cb_wmevent(SDL_SysWMmsg * msg)
s->xselection.property = None;
XSendEvent(this->display, e.xselectionrequest.requestor, 0, 0, s);
XFlush(this->display);
return;
}
if (e.type == SelectionClear && (

View file

@ -123,6 +123,7 @@ struct Spice
bool cbSelection;
// clipboard variables
LG_Lock cbLock;
bool cbAgentGrabbed;
bool cbClientGrabbed;
SpiceDataType cbType;
@ -197,6 +198,8 @@ bool spice_connect(const char * host, const unsigned short port, const char * pa
DEBUG_INFO("Remote: %s:%u", host, port);
}
LG_LOCK_INIT(spice.cbLock);
spice.channelID = 0;
if (!spice_connect_channel(&spice.scMain))
{
@ -216,11 +219,14 @@ void spice_disconnect()
spice.sessionID = 0;
LG_LOCK(spice.cbLock);
if (spice.cbBuffer)
free(spice.cbBuffer);
spice.cbBuffer = NULL;
spice.cbRemain = 0;
spice.cbSize = 0;
LG_UNLOCK(spice.cbLock);
LG_LOCK_FREE(spice.cbLock);
spice.cbAgentGrabbed = false;
spice.cbClientGrabbed = false;
@ -576,6 +582,7 @@ bool spice_on_main_channel_read()
DEBUG_INFO("Spice agent disconnected, error: %u", error);
spice.hasAgent = false;
LG_LOCK(spice.cbLock);
if (spice.cbBuffer)
{
free(spice.cbBuffer);
@ -583,6 +590,7 @@ bool spice_on_main_channel_read()
spice.cbSize = 0;
spice.cbRemain = 0;
}
LG_UNLOCK(spice.cbLock);
return true;
}
@ -929,6 +937,7 @@ bool spice_agent_process(uint32_t dataSize)
{
if (spice.cbRemain)
{
LG_LOCK(spice.cbLock);
const uint32_t r = spice.cbRemain > dataSize ? dataSize : spice.cbRemain;
if (!spice_read_nl(&spice.scMain, spice.cbBuffer + spice.cbSize, r))
{
@ -937,6 +946,7 @@ bool spice_agent_process(uint32_t dataSize)
spice.cbBuffer = NULL;
spice.cbRemain = 0;
spice.cbSize = 0;
LG_UNLOCK(spice.cbLock);
return false;
}
@ -946,6 +956,7 @@ bool spice_agent_process(uint32_t dataSize)
if (spice.cbRemain == 0)
spice_agent_on_clipboard();
LG_UNLOCK(spice.cbLock);
return true;
}
@ -1045,9 +1056,11 @@ bool spice_agent_process(uint32_t dataSize)
if (msg.type == VD_AGENT_CLIPBOARD)
{
DEBUG_CLIPBOARD("VD_AGENT_CLIPBOARD");
LG_LOCK(spice.cbLock);
if (spice.cbBuffer)
{
DEBUG_ERROR("cbBuffer was never freed");
LG_UNLOCK(spice.cbLock);
return false;
}
@ -1063,6 +1076,7 @@ bool spice_agent_process(uint32_t dataSize)
spice.cbBuffer = NULL;
spice.cbRemain = 0;
spice.cbSize = 0;
LG_UNLOCK(spice.cbLock);
return false;
}
@ -1072,6 +1086,7 @@ bool spice_agent_process(uint32_t dataSize)
if (spice.cbRemain == 0)
spice_agent_on_clipboard();
LG_UNLOCK(spice.cbLock);
return true;
}
else