Prevent SEGV when resizing with GFX

The xrdp_enc_data contains a union for handling surface commands and gfx commands. Memory processing is different for these two options. The default destructor for the encoder FIFO only knows about surface commands. Consequently, if the encoder has queued GFX data when the encoder is closed, the destructor processes the queued data as if it contained surface commands rather than GFX commands. This typically causes a SEGV as the drects field of the overlaid surface command structure is not pointing at anything valid when it is freed.
matt335672 · Jun 3, 2024 · 809df89 · 809df89
1 parent 8048a63
commit 809df89
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/xrdp/xrdp_encoder.c b/xrdp/xrdp_encoder.c
@@ -88,8 +88,15 @@ static void
 xrdp_enc_data_destructor(void *item, void *closure)
 {
     XRDP_ENC_DATA *enc = (XRDP_ENC_DATA *)item;
-    g_free(enc->u.sc.drects);
-    g_free(enc->u.sc.crects);
+    if (ENC_IS_BIT_SET(enc->flags, ENC_FLAGS_GFX_BIT))
+    {
+        g_free(enc->u.gfx.cmd);
+    }
+    else
+    {
+        g_free(enc->u.sc.drects);
+        g_free(enc->u.sc.crects);
+    }
     g_free(enc);
 }