From b1d7c2caf496e7236fe43c69fd380fedb830a979 Mon Sep 17 00:00:00 2001 From: Michal Srb Date: Tue, 26 Sep 2017 13:45:36 +0200 Subject: [PATCH] Unset pixel buffer when x0vncserver client disconnects. In XDesktop::start() we allocate pixel buffer and set it as the backend to the given VNCServer. In XDesktop::stop() we deallocate the buffer, so we must unset it from the VNCServer as well. Otherwise the VNCServer could try to access it and crash, for example in deferred update. --- common/rfb/VNCServerST.cxx | 14 ++++---------- unix/x0vncserver/x0vncserver.cxx | 6 +++++- 2 files changed, 9 insertions(+), 11 deletions(-) Index: tigervnc-1.8.0/common/rfb/VNCServerST.cxx =================================================================== --- tigervnc-1.8.0.orig/common/rfb/VNCServerST.cxx +++ tigervnc-1.8.0/common/rfb/VNCServerST.cxx @@ -312,6 +312,8 @@ void VNCServerST::setPixelBuffer(PixelBu screenLayout = layout; if (!pb) { + stopFrameClock(); + if (desktopStarted) throw Exception("setPixelBuffer: null PixelBuffer when desktopStarted?"); return; @@ -335,18 +337,10 @@ void VNCServerST::setPixelBuffer(PixelBu void VNCServerST::setPixelBuffer(PixelBuffer* pb_) { - ScreenSet layout; - - if (!pb_) { - if (desktopStarted) - throw Exception("setPixelBuffer: null PixelBuffer when desktopStarted?"); - return; - } - - layout = screenLayout; + ScreenSet layout = screenLayout; // Check that the screen layout is still valid - if (!layout.validate(pb_->width(), pb_->height())) { + if (pb_ && !layout.validate(pb_->width(), pb_->height())) { Rect fbRect; ScreenSet::iterator iter, iter_next; Index: tigervnc-1.8.0/unix/x0vncserver/x0vncserver.cxx =================================================================== --- tigervnc-1.8.0.orig/unix/x0vncserver/x0vncserver.cxx +++ tigervnc-1.8.0/unix/x0vncserver/x0vncserver.cxx @@ -176,7 +176,8 @@ public: #endif } virtual ~XDesktop() { - stop(); + if (running) + stop(); } inline void poll() { @@ -223,6 +224,9 @@ public: XDamageDestroy(dpy, damage); #endif + server->setPixelBuffer(0); + server = 0; + delete pb; pb = 0; }