git.ipfire.org Git - thirdparty/qemu.git/commit

author	Marc-André Lureau <marcandre.lureau@redhat.com>
	Tue, 8 Oct 2024 12:50:13 +0000 (16:50 +0400)
committer	Michael Tokarev <mjt@tls.msk.ru>
	Fri, 8 Nov 2024 10:02:57 +0000 (13:02 +0300)
commit	0ba0827f214f5257b2ceb8a7e26ccb0793bdcebb
tree	c178894cd8facac24f102dc4ffa1f0260bb6d804	tree
parent	63b32ce87e6c3e71719a6a9f6f4089059c45f487	commit \| diff

ui/win32: fix potential use-after-free with dbus shared memory

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.

Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.

Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

hw/display/virtio-gpu.c		diff \| blob \| blame \| history
include/ui/qemu-pixman.h		diff \| blob \| blame \| history
ui/console.c		diff \| blob \| blame \| history
ui/qemu-pixman.c		diff \| blob \| blame \| history