Commit 1bc3117a authored Apr 20, 2018 by Gerd Hoffmann

vnc: fix use-after-free



When vnc_client_read() return value is -1
vs is not valid any more.

Fixes: d49b87f0
Reported-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20180420084820.3873-1-kraxel@redhat.com

parent b8846a4d

ui/vnc.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -1539,13 +1539,14 @@ gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED,
		VncState *vs = opaque;
		if (condition & G_IO_IN) {
		if (vnc_client_read(vs) < 0) {
		goto end;
		/* vs is free()ed here */
		return TRUE;
		}
		}
		if (condition & G_IO_OUT) {
		vnc_client_write(vs);
		}
		end:

		if (vs->disconnecting) {
		if (vs->ioc_tag != 0) {
		g_source_remove(vs->ioc_tag);