On Tue, 17 Sep 2013 14:22:50 +0300 Michal Srb <m...@suse.com> wrote: > There is use after free crash when client using zrle disconnects: > ZRLEEncoder contains zos variable (rdr::ZlibOutStream) and mos variable > (pointer to rdr::MemOutStream). > mos is always allocated in constructor (it could be a copy of static > sharedMos pointer if sharedMos != 0, but it is always 0). > When ZRLEEncoder::writeRect is called, any of zrleEncode* functions sets mos > as an underlying stream of zos. > When ZRLEEncoder is destructed, mos is deleted (sharedMos is always 0), then > zos is implicitly destructed, but zos accesses it's underlying stream in it's > destructor! >
Good catch. But I think we need to fix this more permanently than your patch. With your change we rely on the destruction order of members in the ZRLEEncoder class. Not sure which approach is best for solving that. Perhaps we should make ZlibOutStream tolerate not having "underlying" set at destruction, and zrleEncode*() should reset it back to NULL before returning? Rgds -- Pierre Ossman Software Development Cendio AB http://cendio.com Teknikringen 8 http://twitter.com/ThinLinc 583 30 Linköping http://facebook.com/ThinLinc Phone: +46-13-214600 http://plus.google.com/112509906846170010689 A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________ Tigervnc-devel mailing list Tigervnc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tigervnc-devel
