81 lines
2.6 KiB
Diff
81 lines
2.6 KiB
Diff
|
From ab97841629f5f3f4fab9993b6255b6ae04828b9c Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Jonas=20=C3=85dahl?= <jadahl@gmail.com>
|
||
|
Date: Wed, 9 Sep 2020 10:14:20 +0200
|
||
|
Subject: [PATCH] vnc: Drop frames if client is gone
|
||
|
|
||
|
Frames from PipeWire are posted asynchronously from a I/O thread to the
|
||
|
main thread where they are turned into VNC frame updates and cursor
|
||
|
movements. On the other hand, sessions are closed asynchronously when
|
||
|
the VNC client disappears. If a frame ended up on the main thread after
|
||
|
a client disappeared but before the session and stream was closed, we'd
|
||
|
try to turn the new frames into VNC updates without a client being
|
||
|
available, causing use after free.
|
||
|
|
||
|
Fix this by dropping frames that happens during this time frame.
|
||
|
|
||
|
Closes: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/43
|
||
|
---
|
||
|
src/grd-session-vnc.c | 7 +++++++
|
||
|
src/grd-session-vnc.h | 2 ++
|
||
|
src/grd-vnc-pipewire-stream.c | 8 ++++++++
|
||
|
3 files changed, 17 insertions(+)
|
||
|
|
||
|
diff --git a/src/grd-session-vnc.c b/src/grd-session-vnc.c
|
||
|
index 813838a..a06d34d 100644
|
||
|
--- a/src/grd-session-vnc.c
|
||
|
+++ b/src/grd-session-vnc.c
|
||
|
@@ -209,6 +209,12 @@ maybe_queue_close_session_idle (GrdSessionVnc *session_vnc)
|
||
|
g_idle_add (close_session_idle, session_vnc);
|
||
|
}
|
||
|
|
||
|
+gboolean
|
||
|
+grd_session_vnc_is_client_gone (GrdSessionVnc *session_vnc)
|
||
|
+{
|
||
|
+ return !session_vnc->rfb_client;
|
||
|
+}
|
||
|
+
|
||
|
static void
|
||
|
handle_client_gone (rfbClientPtr rfb_client)
|
||
|
{
|
||
|
@@ -218,6 +224,7 @@ handle_client_gone (rfbClientPtr rfb_client)
|
||
|
|
||
|
grd_session_vnc_detach_source (session_vnc);
|
||
|
maybe_queue_close_session_idle (session_vnc);
|
||
|
+ session_vnc->rfb_client = NULL;
|
||
|
}
|
||
|
|
||
|
static void
|
||
|
diff --git a/src/grd-session-vnc.h b/src/grd-session-vnc.h
|
||
|
index 579a12a..07678c8 100644
|
||
|
--- a/src/grd-session-vnc.h
|
||
|
+++ b/src/grd-session-vnc.h
|
||
|
@@ -57,4 +57,6 @@ void grd_session_vnc_move_cursor (GrdSessionVnc *session_vnc,
|
||
|
|
||
|
int grd_session_vnc_get_framebuffer_stride (GrdSessionVnc *session_vnc);
|
||
|
|
||
|
+gboolean grd_session_vnc_is_client_gone (GrdSessionVnc *session_vnc);
|
||
|
+
|
||
|
#endif /* GRD_SESSION_VNC_H */
|
||
|
diff --git a/src/grd-vnc-pipewire-stream.c b/src/grd-vnc-pipewire-stream.c
|
||
|
index 78793c4..96dd7c9 100644
|
||
|
--- a/src/grd-vnc-pipewire-stream.c
|
||
|
+++ b/src/grd-vnc-pipewire-stream.c
|
||
|
@@ -234,6 +234,14 @@ do_render (struct spa_loop *loop,
|
||
|
if (!frame)
|
||
|
return 0;
|
||
|
|
||
|
+ if (grd_session_vnc_is_client_gone (stream->session))
|
||
|
+ {
|
||
|
+ g_free (frame->data);
|
||
|
+ g_clear_pointer (&frame->rfb_cursor, rfbFreeCursor);
|
||
|
+ g_free (frame);
|
||
|
+ return 0;
|
||
|
+ }
|
||
|
+
|
||
|
if (frame->rfb_cursor)
|
||
|
grd_session_vnc_set_cursor (stream->session, frame->rfb_cursor);
|
||
|
|
||
|
--
|
||
|
2.26.2
|
||
|
|