openkylin
/
qemu
mirror of https://gitee.com/openkylin/qemu.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
qemu/hw
History
Marc-André Lureau 2c8ebac7cc vga: fix invalid read after free 
After calling dpy_gfx_replace_surface(s->con, surface), the outer
surface is invalid.

==5370== Invalid read of size 4
==5370==    at 0x460229: surface_bits_per_pixel (console.h:250)
==5370==    by 0x466A81: get_depth_index (vga.c:1173)
==5370==    by 0x467EC2: vga_draw_graphic (vga.c:1718)
==5370==    by 0x4687A5: vga_update_display (vga.c:1914)
==5370==    by 0x2A782E: qxl_hw_update (qxl.c:1766)
==5370==    by 0x3EB83B: graphic_hw_update (console.c:254)
==5370==    by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418)
==5370==    by 0x2A7D01: display_refresh (qxl.c:1886)
==5370==    by 0x3EEE1C: dpy_refresh (console.c:1436)
==5370==    by 0x3EB543: gui_update (console.c:192)
==5370==    by 0x3C43B3: timerlist_run_timers (qemu-timer.c:488)
==5370==    by 0x3C4416: qemu_clock_run_timers (qemu-timer.c:499)
==5370==  Address 0x22ffb1e0 is 0 bytes inside a block of size 56 free'd
==5370==    at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==5370==    by 0x4245FC: free_and_trace (vl.c:2771)
==5370==    by 0x50899AE: g_free (gmem.c:252)
==5370==    by 0x3EE8D3: qemu_free_displaysurface (console.c:1332)
==5370==    by 0x3EEDB7: dpy_gfx_replace_surface (console.c:1427)
==5370==    by 0x467EB6: vga_draw_graphic (vga.c:1714)
==5370==    by 0x4687A5: vga_update_display (vga.c:1914)
==5370==    by 0x2A782E: qxl_hw_update (qxl.c:1766)
==5370==    by 0x3EB83B: graphic_hw_update (console.c:254)
==5370==    by 0x3FBE31: qemu_spice_display_refresh (spice-display.c:418)
==5370==    by 0x2A7D01: display_refresh (qxl.c:1886)
==5370==    by 0x3EEE1C: dpy_refresh (console.c:1436)

Signed-off-by: Marc-André Lureau <marcandre.lureau@gmail.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1383664554-15248-1-git-send-email-marcandre.lureau@gmail.com
Signed-off-by: Anthony Liguori <aliguori@amazon.com>
 		2013-11-05 20:01:11 -08:00
..
9pfs hw/9pfs: Fix errno value for xattr functions 2013-10-05 13:05:28 +04:00
acpi bswap.h: Remove le16_to_cpupu() 2013-11-05 19:57:46 -08:00
alpha hw/alpha: Fix compiler warning (integer constant is too large) 2013-10-02 22:55:28 +04:00
arm armv7m: Don't enforce use of kernel for qtest 2013-11-05 17:47:29 +01:00
audio pci, pc, acpi fixes, enhancements 2013-10-31 16:58:32 +01:00
block bswap.h: Remove cpu_to_be32wu() 2013-11-05 19:57:47 -08:00
bt Preparation for usb-bt-dongle conditional build 2013-09-10 11:14:41 +02:00
char milkymist-uart: Use Device::realize instead of SysBusDevice::init 2013-11-05 17:47:29 +01:00
core qdev: Drop misleading qdev_free() function 2013-11-05 18:06:38 +01:00
cpu arm11mpcore: Split off RealView MPCore 2013-11-05 17:47:30 +01:00
cris axis_dev88: Don't enforce use of kernel for qtest 2013-11-05 17:47:29 +01:00
display vga: fix invalid read after free 2013-11-05 20:01:11 -08:00
dma qom: Pass available size to object_initialize() 2013-08-30 21:15:44 +02:00
gpio gpio/zaurus: QOM cast cleanup 2013-07-29 21:06:57 +02:00
i2c exynos4210_i2c: QOM cast cleanup 2013-07-29 21:07:02 +02:00
i386 pci, pc, pvpanic bug fixes 2013-11-05 08:29:56 -08:00
ide bswap.h: Remove cpu_to_be16wu() 2013-11-05 19:57:47 -08:00
input aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
intc realview_gic: Prepare for QOM embedding 2013-11-05 17:47:30 +01:00
isa ich9: APIs for pc guest info 2013-10-14 17:48:52 +03:00
lm32 milkymist: Suppress -kernel/-bios/-drive error for qtest 2013-11-05 17:47:29 +01:00
m68k an5206: Don't enforce use of kernel for qtest 2013-11-05 17:47:29 +01:00
microblaze hw/microblaze: Add support for loading initrd images 2013-10-24 22:56:48 +02:00
mips mips_mipssim: Silence BIOS loading warning for qtest 2013-11-05 17:47:28 +01:00
misc pcmcia: QOM'ify PCMCIACardState and MicroDriveState 2013-11-05 18:06:52 +01:00
moxie memory: add owner argument to initialization functions 2013-07-04 17:42:44 +02:00
net bswap.h: Remove cpu_to_be32wu() 2013-11-05 19:57:47 -08:00
nvram fw_cfg: interface to trigger callback on read 2013-10-14 17:48:51 +03:00
openrisc pc,pci,virtio fixes and cleanups 2013-09-03 12:31:07 -05:00
pci bswap.h: Remove cpu_to_be32wu() 2013-11-05 19:57:47 -08:00
pci-bridge hw/pci-bridge: set PCI_INTERRUPT_PIN register before shpc init 2013-10-14 17:11:45 +03:00
pci-host pci, pc, acpi fixes, enhancements 2013-10-31 16:58:32 +01:00
pcmcia pcmcia/pxa2xx: QOM'ify PXA2xxPCMCIAState 2013-11-05 18:06:52 +01:00
ppc Merge remote-tracking branch 'mjt/trivial-patches' into staging 2013-10-31 17:01:43 +01:00
s390x qdev: Drop misleading qdev_free() function 2013-11-05 18:06:38 +01:00
scsi qdev: Drop misleading qdev_free() function 2013-11-05 18:06:38 +01:00
sd sd: Avoid access to NULL BlockDriverState 2013-10-17 10:15:18 +02:00
sh4 shix: Don't require firmware presence for qtest 2013-11-05 17:47:29 +01:00
sparc leon3: Don't enforce use of -bios with qtest 2013-11-05 17:47:29 +01:00
sparc64 pc,pci,virtio fixes and cleanups 2013-09-03 12:31:07 -05:00
ssi xilinx_spi: QOM cast cleanup 2013-07-29 21:07:01 +02:00
timer a9mpcore: Embed ARMMPTimerState 2013-11-05 17:47:29 +01:00
tpm aio / timers: Untangle include files 2013-08-22 19:10:27 +02:00
unicore32 puv3: Turn puv3_load_kernel() into a no-op for qtest without -kernel 2013-11-05 17:47:28 +01:00
usb qdev: Drop misleading qdev_free() function 2013-11-05 18:06:38 +01:00
virtio qdev: Drop misleading qdev_free() function 2013-11-05 18:06:38 +01:00
watchdog aio / timers: Switch entire codebase to the new timer API 2013-08-22 19:14:24 +02:00
xen qdev: Drop misleading qdev_free() function 2013-11-05 18:06:38 +01:00
xtensa pc,pci,virtio fixes and cleanups 2013-09-03 12:31:07 -05:00
Makefile.objs pcmcia: QOM'ify PCMCIACardState and MicroDriveState 2013-11-05 18:06:52 +01:00