Skip to content
This repository has been archived by the owner on Nov 1, 2021. It is now read-only.

RDP backend rfx (RemoteFX) mode crashes when rendering same screen twice #1689

Closed
m01 opened this issue May 5, 2019 · 3 comments
Closed

RDP backend rfx (RemoteFX) mode crashes when rendering same screen twice #1689

m01 opened this issue May 5, 2019 · 3 comments
Labels
bug

Comments

@m01
Copy link
Contributor

m01 commented May 5, 2019

Summary

When using the rdp backend and connecting with xfreerdp ... --rfx, wlroots crashes in backend/rdp/output.c on this line:

	RFX_RECT *rfx_rect;
	int nrects;
	pixman_box32_t *rects =
		pixman_region32_rectangles(damage, &nrects);
	rfx_rect = realloc(context->rfx_rects, nrects * sizeof(*rfx_rect));  // << here

Using gdb, it looks like this is because damage contains x=0, y=0, width=0 and height=0, probably because the screen didn't change. This means nrects is also 0 and we request a realloc of size 0.

Repro & logs

terminal 1:

% WLR_RDP_TLS_CERT_PATH=$KEY_DIR/tls.crt WLR_RDP_TLS_KEY_PATH=$KEY_DIR/tls.key WLR_BACKENDS=rdp XDG_RUNTIME_DIR=/tmp sway
...
[12:46:06:011] [2174:2174] [INFO][com.freerdp.core.connection] - Client Security: NLA:1 TLS:1 RDP:0
[12:46:06:011] [2174:2174] [INFO][com.freerdp.core.connection] - Server Security: NLA:0 TLS:1 RDP:1
[12:46:06:011] [2174:2174] [INFO][com.freerdp.core.connection] - Negotiated Security: NLA:0 TLS:1 RDP:0
[12:46:06:198] [2174:2174] [INFO][com.freerdp.core.connection] - Accepted client: ...
[12:46:06:198] [2174:2174] [INFO][com.freerdp.core.connection] - Accepted channels:
[12:46:06:198] [2174:2174] [INFO][com.freerdp.core.connection] -  cliprdr
[12:46:06:198] [2174:2174] [INFO][com.freerdp.core.gcc] - Active rdp encryption level: NONE
[12:46:06:198] [2174:2174] [INFO][com.freerdp.core.gcc] - Selected rdp encryption method: NONE
2019-05-05 12:46:06 - [swaybg/main.c:300] Found config * for output RDP-1 (RDP RDP )
...
2019-05-05 12:46:06 - [backend/rdp/output.c:113] RDP swap buffers failed: could not realloc rects
double free or corruption (fasttop)
(EE) failed to read Wayland events: Broken pipe
2019-05-05 12:46:06 - [sway/common/ipc-client.c:90] Unable to receive IPC response
zsh: abort (core dumped)  WLR_RDP_TLS_CERT_PATH=$KEY_DIR/tls.crt WLR_RDP_TLS_KEY_PATH=$KEY_DIR/tls.key

(note about log: I added an extra line for logging to backend/rdp/output.c, which is why the line number above is off by one. The extra logging doesn't show when running sway because I didn't change the log level)

terminal 2:

% xfreerdp -v 127.0.0.1 --rfx --bpp 32 --size 800x600

Workaround

use --nsc instead of --rfx

xfreerdp -v 127.0.0.1 --nsc --bpp 32 --size 800x600

System info

OS: Arch Linux
wlroots-git: 6ae6b5d
sway-git: 51c077798cf06ebd5e27271fb5e276c181f8a077
@emersion
Copy link
Member

emersion commented May 5, 2019

I've come to the same conclusion. Thanks for investigating.

Would you be willing to send a fix?

@emersion emersion added the bug label May 5, 2019
@m01
Copy link
Contributor Author

m01 commented May 5, 2019

If the fix is just to return true if there aren't any rects to send (and thus not call rfx_compose_message), then I can file a PR for that. That seems to fix this crash. I don't understand the RDP protocol or freeRDP well enough to know whether this is the correct fix though.

@emersion
Copy link
Member

emersion commented May 5, 2019

This sounds like a good solution to me.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@emersion @m01