diff options
| author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2024-10-08 16:50:13 +0400 |
|---|---|---|
| committer | Marc-André Lureau <marcandre.lureau@redhat.com> | 2024-10-14 17:34:09 +0400 |
| commit | 330ef31deb2e5461cff907488b710f5bd9cd2327 (patch) | |
| tree | f614213dc0627187b5677f90a0dd553309ce09c3 /ui | |
| parent | 244d52ff736fefc3dd364ed091720aa896af306d (diff) | |
| download | focaccia-qemu-330ef31deb2e5461cff907488b710f5bd9cd2327.tar.gz focaccia-qemu-330ef31deb2e5461cff907488b710f5bd9cd2327.zip | |
ui/win32: fix potential use-after-free with dbus shared memory
DisplaySurface may be free before the pixman image is freed, since the image is refcounted and used by different objects, including pending dbus messages. Furthermore, setting the destroy function in create_displaysurface_from() isn't appropriate, as it may not be used, and may be overriden as in ramfb. Set the destroy function when the shared handle is set, use the HANDLE directly for destroy data, using a single common helper qemu_pixman_win32_image_destroy(). Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>
Diffstat (limited to 'ui')
| -rw-r--r-- | ui/console.c | 24 | ||||
| -rw-r--r-- | ui/qemu-pixman.c | 15 |
2 files changed, 17 insertions, 22 deletions
diff --git a/ui/console.c b/ui/console.c index 105a0e2c70..8f416ff0b9 100644 --- a/ui/console.c +++ b/ui/console.c @@ -461,24 +461,6 @@ void qemu_displaysurface_win32_set_handle(DisplaySurface *surface, surface->handle = h; surface->handle_offset = offset; } - -static void -win32_pixman_image_destroy(pixman_image_t *image, void *data) -{ - DisplaySurface *surface = data; - - if (!surface->handle) { - return; - } - - assert(surface->handle_offset == 0); - - qemu_win32_map_free( - pixman_image_get_data(surface->image), - surface->handle, - &error_warn - ); -} #endif DisplaySurface *qemu_create_displaysurface(int width, int height) @@ -504,6 +486,8 @@ DisplaySurface *qemu_create_displaysurface(int width, int height) #ifdef WIN32 qemu_displaysurface_win32_set_handle(surface, handle, 0); + pixman_image_set_destroy_function(surface->image, + qemu_pixman_win32_image_destroy, handle); #endif return surface; } @@ -519,10 +503,6 @@ DisplaySurface *qemu_create_displaysurface_from(int width, int height, width, height, (void *)data, linesize); assert(surface->image != NULL); -#ifdef WIN32 - pixman_image_set_destroy_function(surface->image, - win32_pixman_image_destroy, surface); -#endif return surface; } diff --git a/ui/qemu-pixman.c b/ui/qemu-pixman.c index 6cada8b45e..3870e1a215 100644 --- a/ui/qemu-pixman.c +++ b/ui/qemu-pixman.c @@ -4,6 +4,7 @@ */ #include "qemu/osdep.h" +#include "qapi/error.h" #include "ui/console.h" #include "standard-headers/drm/drm_fourcc.h" #include "trace.h" @@ -267,3 +268,17 @@ void qemu_pixman_glyph_render(pixman_image_t *glyph, pixman_image_unref(ibg); } #endif /* CONFIG_PIXMAN */ + +#ifdef WIN32 +void +qemu_pixman_win32_image_destroy(pixman_image_t *image, void *data) +{ + HANDLE handle = data; + + qemu_win32_map_free( + pixman_image_get_data(image), + handle, + &error_warn + ); +} +#endif |