From b1d7c2caf496e7236fe43c69fd380fedb830a979 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Tue, 26 Sep 2017 13:45:36 +0200
Subject: [PATCH] Unset pixel buffer when x0vncserver client disconnects.

In XDesktop::start() we allocate pixel buffer and set it as the backend to the given VNCServer.
In XDesktop::stop() we deallocate the buffer, so we must unset it from the VNCServer as well.
Otherwise the VNCServer could try to access it and crash, for example in deferred update.
---
 common/rfb/VNCServerST.cxx       | 14 ++++----------
 unix/x0vncserver/x0vncserver.cxx |  6 +++++-
 2 files changed, 9 insertions(+), 11 deletions(-)

Index: tigervnc-1.8.0/common/rfb/VNCServerST.cxx
===================================================================
--- tigervnc-1.8.0.orig/common/rfb/VNCServerST.cxx
+++ tigervnc-1.8.0/common/rfb/VNCServerST.cxx
@@ -312,6 +312,8 @@ void VNCServerST::setPixelBuffer(PixelBu
   screenLayout = layout;
 
   if (!pb) {
+    stopFrameClock();
+
     if (desktopStarted)
       throw Exception("setPixelBuffer: null PixelBuffer when desktopStarted?");
     return;
@@ -335,18 +337,10 @@ void VNCServerST::setPixelBuffer(PixelBu
 
 void VNCServerST::setPixelBuffer(PixelBuffer* pb_)
 {
-  ScreenSet layout;
-
-  if (!pb_) {
-    if (desktopStarted)
-      throw Exception("setPixelBuffer: null PixelBuffer when desktopStarted?");
-    return;
-  }
-
-  layout = screenLayout;
+  ScreenSet layout = screenLayout;
 
   // Check that the screen layout is still valid
-  if (!layout.validate(pb_->width(), pb_->height())) {
+  if (pb_ && !layout.validate(pb_->width(), pb_->height())) {
     Rect fbRect;
     ScreenSet::iterator iter, iter_next;
 
Index: tigervnc-1.8.0/unix/x0vncserver/x0vncserver.cxx
===================================================================
--- tigervnc-1.8.0.orig/unix/x0vncserver/x0vncserver.cxx
+++ tigervnc-1.8.0/unix/x0vncserver/x0vncserver.cxx
@@ -176,7 +176,8 @@ public:
 #endif
   }
   virtual ~XDesktop() {
-    stop();
+    if (running)
+      stop();
   }
 
   inline void poll() {
@@ -223,6 +224,9 @@ public:
       XDamageDestroy(dpy, damage);
 #endif
 
+    server->setPixelBuffer(0);
+    server = 0;
+
     delete pb;
     pb = 0;
   }