Hi,
> Tricky, but I think I follow that dpy->region.surface is only ever
> allocated to replace dpy->con->surface, so when ramfb_display_update()
> then replaces and frees dpy->con->surface with dpy->ramfb->ds, that's
> where the object point to by dpy->region.surface was freed. Right?
Correct
On Mon, 13 Jul 2020 14:45:20 +0200
Gerd Hoffmann wrote:
> Calling ramfb_display_update() might replace the DisplaySurface with the
> boot display, which in turn will free the currently active
> DisplaySurface.
>
> So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
On 7/13/20 4:00 PM, Gerd Hoffmann wrote:
> On Mon, Jul 13, 2020 at 02:51:05PM +0200, Philippe Mathieu-Daudé wrote:
>> On 7/13/20 2:45 PM, Gerd Hoffmann wrote:
>>> Calling ramfb_display_update() might replace the DisplaySurface with the
>>> boot display, which in turn will free the currently active
On Mon, Jul 13, 2020 at 02:51:05PM +0200, Philippe Mathieu-Daudé wrote:
> On 7/13/20 2:45 PM, Gerd Hoffmann wrote:
> > Calling ramfb_display_update() might replace the DisplaySurface with the
> > boot display, which in turn will free the currently active
> > DisplaySurface.
> >
> > So clear our D
On 7/13/20 2:45 PM, Gerd Hoffmann wrote:
> Calling ramfb_display_update() might replace the DisplaySurface with the
> boot display, which in turn will free the currently active
> DisplaySurface.
>
> So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
> avoid use-after-free and
Calling ramfb_display_update() might replace the DisplaySurface with the
boot display, which in turn will free the currently active
DisplaySurface.
So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
avoid use-after-free and (b) force replacing the boot display with the
real di
