diff options
author | Stefano Stabellini <stefano.stabellini@eu.citrix.com> | 2010-01-25 12:54:57 +0000 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2010-01-26 17:08:02 -0600 |
commit | 6185c5783c50ab5bb4bcdc317772848278cb9bc1 (patch) | |
tree | f546e4acd750083c0e8f8c747273e5bd6d2b670f | |
parent | 053965c7ff5b260672719884e644ce4117d01995 (diff) | |
download | qemu-6185c5783c50ab5bb4bcdc317772848278cb9bc1.zip qemu-6185c5783c50ab5bb4bcdc317772848278cb9bc1.tar.gz qemu-6185c5783c50ab5bb4bcdc317772848278cb9bc1.tar.bz2 |
vnc_refresh: calling vnc_update_client might free vs
Hi all,
this patch fixes another bug in vnc_refresh: calling vnc_update_client
might cause vs to be free()ed, in this case we cannot access vs->next
right after to examine the next item on the list.
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
-rw-r--r-- | vnc.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -2345,7 +2345,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) static void vnc_refresh(void *opaque) { VncDisplay *vd = opaque; - VncState *vs = NULL; + VncState *vs = NULL, *vn = NULL; int has_dirty = 0, rects = 0; vga_hw_update(); @@ -2354,8 +2354,10 @@ static void vnc_refresh(void *opaque) vs = vd->clients; while (vs != NULL) { + vn = vs->next; rects += vnc_update_client(vs, has_dirty); - vs = vs->next; + /* vs might be free()ed here */ + vs = vn; } /* vd->timer could be NULL now if the last client disconnected, * in this case don't update the timer */ |