Prevent SEGV when resizing with GFX

The xrdp_enc_data contains a union for handling surface commands and gfx commands. Memory processing is different for these two options. The default destructor for the encoder FIFO only knows about surface commands. Consequently, if the encoder has queued GFX data when the encoder is closed, the destructor processes the queued data as if it contained surface commands rather than GFX commands. This typically causes a SEGV as the drects field of the overlaid surface command structure is not pointing at anything valid when it is freed. (cherry picked from commit 809df89)
neutrinolabs · Jun 10, 2024 · a430eb9 · a430eb9
1 parent 0bef23f
commit a430eb9
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/xrdp/xrdp_encoder.c b/xrdp/xrdp_encoder.c
@@ -82,8 +82,15 @@ static void
 xrdp_enc_data_destructor(void *item, void *closure)
 {
     XRDP_ENC_DATA *enc = (XRDP_ENC_DATA *)item;
-    g_free(enc->u.sc.drects);
-    g_free(enc->u.sc.crects);
+    if (ENC_IS_BIT_SET(enc->flags, ENC_FLAGS_GFX_BIT))
+    {
+        g_free(enc->u.gfx.cmd);
+    }
+    else
+    {
+        g_free(enc->u.sc.drects);
+        g_free(enc->u.sc.crects);
+    }
     g_free(enc);
 }