On Tue, 17 Sep 2013 14:22:50 +0300
Michal Srb <m...@suse.com> wrote:

> There is use after free crash when client using zrle disconnects:
> ZRLEEncoder contains zos variable (rdr::ZlibOutStream) and mos variable 
> (pointer to rdr::MemOutStream).
> mos is always allocated in constructor (it could be a copy of static 
> sharedMos pointer if sharedMos != 0, but it is always 0). 
> When ZRLEEncoder::writeRect is called, any of zrleEncode* functions sets mos 
> as an underlying stream of zos.
> When ZRLEEncoder is destructed, mos is deleted (sharedMos is always 0), then 
> zos is implicitly destructed, but zos accesses it's underlying stream in it's 
> destructor!

Good catch. But I think we need to fix this more permanently than your
patch. With your change we rely on the destruction order of members in
the ZRLEEncoder class.

Not sure which approach is best for solving that. Perhaps we should
make ZlibOutStream tolerate not having "underlying" set at destruction,
and zrleEncode*() should reset it back to NULL before returning?

Pierre Ossman           Software Development
Cendio AB               http://cendio.com
Teknikringen 8          http://twitter.com/ThinLinc
583 30 Linköping        http://facebook.com/ThinLinc
Phone: +46-13-214600    http://plus.google.com/112509906846170010689

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Attachment: signature.asc
Description: PGP signature

LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
Tigervnc-devel mailing list

Reply via email to