git.ipfire.org Git - thirdparty/qemu.git/commit

author	Marc-André Lureau <marcandre.lureau@redhat.com>
	Tue, 8 Oct 2024 12:50:13 +0000 (16:50 +0400)
committer	Michael Tokarev <mjt@tls.msk.ru>
	Wed, 16 Oct 2024 08:15:04 +0000 (11:15 +0300)
commit	e1324ec9465efbd7ca95c4ad29d3d3cf102d05c3
tree	aff0403ee6365cca6290879b5a04bbd5fddd6315	tree
parent	9391f419c7ef5e180e42177ea9a662389a69bbbe	commit \| diff

ui/win32: fix potential use-after-free with dbus shared memory

DisplaySurface may be free before the pixman image is freed, since the
image is refcounted and used by different objects, including pending
dbus messages.

Furthermore, setting the destroy function in
create_displaysurface_from() isn't appropriate, as it may not be used,
and may be overriden as in ramfb.

Set the destroy function when the shared handle is set, use the HANDLE
directly for destroy data, using a single common helper
qemu_pixman_win32_image_destroy().

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-ID: <20241008125028.1177932-5-marcandre.lureau@redhat.com>
(cherry picked from commit 330ef31deb2e5461cff907488b710f5bd9cd2327)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

hw/display/virtio-gpu.c		diff \| blob \| blame \| history
include/ui/qemu-pixman.h		diff \| blob \| blame \| history
ui/console.c		diff \| blob \| blame \| history
ui/qemu-pixman.c		diff \| blob \| blame \| history