git.ipfire.org Git - thirdparty/qemu.git/commit

author	Marc-André Lureau <marcandre.lureau@redhat.com>
	Tue, 8 Oct 2024 12:50:13 +0000 (16:50 +0400)
committer	Michael Tokarev <mjt@tls.msk.ru>
	Fri, 8 Nov 2024 10:02:41 +0000 (13:02 +0300)
commit	5910eb9d0a7d42bb73c271a79a738108831a2ad3
tree	0d7d6c7e33f5ff102cc231e644f6c24e03fa43c5	tree
parent	6298efc5b265e053c7d6e6e198e4a956da82feca	commit \| diff

ui/win32: fix potential use-after-free with dbus shared memory

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.

Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.

Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

hw/display/virtio-gpu.c		diff \| blob \| blame \| history
include/ui/qemu-pixman.h		diff \| blob \| blame \| history
ui/console.c		diff \| blob \| blame \| history
ui/qemu-pixman.c		diff \| blob \| blame \| history