All of lore.kernel.org
 help / color / mirror / Atom feed
From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Eric Blake" <eblake@redhat.com>,
	"Markus Armbruster" <armbru@redhat.com>,
	"Gerd Hoffmann" <kraxel@redhat.com>,
	"Bandan Das" <bsd@redhat.com>,
	"Alexander Bulekov" <alxndr@bu.edu>,
	"Laurent Vivier" <lvivier@redhat.com>,
	"Darren Kenny" <darren.kenny@oracle.com>,
	"Qiuhao Li" <Qiuhao.Li@outlook.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Akihiko Odaki" <akihiko.odaki@gmail.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	"Alexandre Ratchov" <alex@caoua.org>,
	"Peter Maydell" <peter.maydell@linaro.org>,
	"Stefan Hajnoczi" <stefanha@redhat.com>,
	"Thomas Huth" <thuth@redhat.com>,
	"Volker Rümelin" <vr_qemu@t-online.de>
Subject: [PULL 10/25] ui/console: fix three double frees in png_save()
Date: Mon, 26 Sep 2022 11:54:54 +0200	[thread overview]
Message-ID: <20220926095509.3759409-11-kraxel@redhat.com> (raw)
In-Reply-To: <20220926095509.3759409-1-kraxel@redhat.com>

From: Volker Rümelin <vr_qemu@t-online.de>

The png_destroy_write_struct() function frees all memory used by
libpng. Don't use the glib auto cleanup mechanism to free the
memory allocated by libpng again. For the pixman image, use only the
auto cleanup mechanism and remove the qemu_pixman_image_unref()
function call to prevent another double free.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1210
Fixes: 9a0a119a38 ("Added parameter to take screenshot with screendump as PNG")
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20220919061956.30929-1-vr_qemu@t-online.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 ui/console.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ui/console.c b/ui/console.c
index 243f2f6e64ae..49da6a91df6f 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -304,8 +304,8 @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
 {
     int width = pixman_image_get_width(image);
     int height = pixman_image_get_height(image);
-    g_autofree png_struct *png_ptr = NULL;
-    g_autofree png_info *info_ptr = NULL;
+    png_struct *png_ptr;
+    png_info *info_ptr;
     g_autoptr(pixman_image_t) linebuf =
                             qemu_pixman_linebuf_create(PIXMAN_a8r8g8b8, width);
     uint8_t *buf = (uint8_t *)pixman_image_get_data(linebuf);
@@ -346,7 +346,6 @@ static bool png_save(int fd, pixman_image_t *image, Error **errp)
         qemu_pixman_linebuf_fill(linebuf, image, width, 0, y);
         png_write_row(png_ptr, buf);
     }
-    qemu_pixman_image_unref(linebuf);
 
     png_write_end(png_ptr, NULL);
 
-- 
2.37.3



  parent reply	other threads:[~2022-09-26 10:24 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-26  9:54 [PULL 00/25] Kraxel 20220926 patches Gerd Hoffmann
2022-09-26  9:54 ` [PULL 01/25] ui/console: Get tab completion working again in the SDL monitor vc Gerd Hoffmann
2022-09-26  9:54 ` [PULL 02/25] ui/cocoa: Run qemu_init in the main thread Gerd Hoffmann
2022-09-26  9:54 ` [PULL 03/25] Revert "main-loop: Disable block backend global state assertion on Cocoa" Gerd Hoffmann
2022-09-26  9:54 ` [PULL 04/25] meson: Allow to enable gtk and sdl while cocoa is enabled Gerd Hoffmann
2022-09-26  9:54 ` [PULL 05/25] ui: add some vdagent related traces Gerd Hoffmann
2022-09-26  9:54 ` [PULL 06/25] ui/clipboard: fix serial priority Gerd Hoffmann
2022-09-26  9:54 ` [PULL 07/25] ui/vdagent: always reset the clipboard serial on caps Gerd Hoffmann
2022-09-26  9:54 ` [PULL 08/25] ui/clipboard: reset the serial state on reset Gerd Hoffmann
2022-09-26  9:54 ` [PULL 09/25] ui/vdagent: fix serial reset of guest agent Gerd Hoffmann
2022-09-26  9:54 ` Gerd Hoffmann [this message]
2022-09-26  9:54 ` [PULL 11/25] hw/usb/hcd-xhci: Check whether DMA accesses fail Gerd Hoffmann
2022-09-26  9:54 ` [PULL 12/25] hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero Gerd Hoffmann
2022-09-26  9:54 ` [PULL 13/25] hcd-ohci: Fix inconsistency when resetting ohci root hubs Gerd Hoffmann
2022-09-27  1:11   ` Stefan Hajnoczi
2022-09-28 12:24     ` Qiang Liu
2023-02-15 13:45       ` Qiang Liu
2023-02-15 14:34         ` Stefan Hajnoczi
2023-02-15 16:28           ` Laurent Vivier
2023-02-15 17:05             ` BALATON Zoltan
2023-02-15 16:10         ` Laurent Vivier
2022-09-26  9:54 ` [PULL 14/25] usb/msd: move usb_msd_packet_complete() Gerd Hoffmann
2022-09-26  9:54 ` [PULL 15/25] usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert Gerd Hoffmann
2022-09-26  9:55 ` [PULL 16/25] hcd-xhci: drop operation with secondary stream arrays enabled Gerd Hoffmann
2022-09-26  9:55 ` [PULL 17/25] usbnet: Add missing usb_wakeup() call in usbnet_receive() Gerd Hoffmann
2022-09-26  9:55 ` [PULL 18/25] usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request Gerd Hoffmann
2022-09-26  9:55 ` [PULL 19/25] usbnet: Detect short packets as sent by the xHCI controller Gerd Hoffmann
2022-09-26  9:55 ` [PULL 20/25] usbnet: Report link-up via interrupt endpoint in CDC-ECM mode Gerd Hoffmann
2022-09-26  9:55 ` [PULL 21/25] audio: Add sndio backend Gerd Hoffmann
2022-09-26  9:55 ` [PULL 22/25] Revert "audio: Log context for audio bug" Gerd Hoffmann
2022-09-26  9:55 ` [PULL 23/25] audio: remove abort() in audio_bug() Gerd Hoffmann
2022-09-26  9:55 ` [PULL 24/25] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) Gerd Hoffmann
2022-09-26  9:55 ` [PULL 25/25] virtio-gpu: update scanout if there is any area covered by the rect Gerd Hoffmann
2022-09-27  1:12 ` [PULL 00/25] Kraxel 20220926 patches Stefan Hajnoczi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220926095509.3759409-11-kraxel@redhat.com \
    --to=kraxel@redhat.com \
    --cc=Qiuhao.Li@outlook.com \
    --cc=akihiko.odaki@gmail.com \
    --cc=alex@caoua.org \
    --cc=alxndr@bu.edu \
    --cc=armbru@redhat.com \
    --cc=bsd@redhat.com \
    --cc=darren.kenny@oracle.com \
    --cc=eblake@redhat.com \
    --cc=f4bug@amsat.org \
    --cc=lvivier@redhat.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=thuth@redhat.com \
    --cc=vr_qemu@t-online.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.