From dbfa4ad1f78f6133bc5f50e766f7f3bfdb8fa049 Mon Sep 17 00:00:00 2001 From: runge Date: Tue, 24 Jun 2008 22:33:41 +0000 Subject: [PATCH] We seem to need to guard against freeing iterator 'i' twice in rfbSendFramebufferUpdate() (italc reported bug) --- libvncserver/rfbserver.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/libvncserver/rfbserver.c b/libvncserver/rfbserver.c index 767b673..1fc90c1 100644 --- a/libvncserver/rfbserver.c +++ b/libvncserver/rfbserver.c @@ -2631,7 +2631,7 @@ rfbSendFramebufferUpdate(rfbClientPtr cl, rows = (h-1)/cl->correMaxHeight+1; nUpdateRegionRects += rectsPerRow*rows; } - sraRgnReleaseIterator(i); + sraRgnReleaseIterator(i); i=NULL; } else if (cl->preferredEncoding == rfbEncodingUltra) { nUpdateRegionRects = 0; @@ -2645,7 +2645,7 @@ rfbSendFramebufferUpdate(rfbClientPtr cl, rfbScaledCorrection(cl->screen, cl->scaledScreen, &x, &y, &w, &h, "rfbSendFramebufferUpdate"); nUpdateRegionRects += (((h-1) / (ULTRA_MAX_SIZE( w ) / w)) + 1); } - sraRgnReleaseIterator(i); + sraRgnReleaseIterator(i); i=NULL; #ifdef LIBVNCSERVER_HAVE_LIBZ } else if (cl->preferredEncoding == rfbEncodingZlib) { nUpdateRegionRects = 0; @@ -2660,7 +2660,7 @@ rfbSendFramebufferUpdate(rfbClientPtr cl, rfbScaledCorrection(cl->screen, cl->scaledScreen, &x, &y, &w, &h, "rfbSendFramebufferUpdate"); nUpdateRegionRects += (((h-1) / (ZLIB_MAX_SIZE( w ) / w)) + 1); } - sraRgnReleaseIterator(i); + sraRgnReleaseIterator(i); i=NULL; #ifdef LIBVNCSERVER_HAVE_LIBJPEG } else if (cl->preferredEncoding == rfbEncodingTight) { nUpdateRegionRects = 0; @@ -2681,7 +2681,7 @@ rfbSendFramebufferUpdate(rfbClientPtr cl, } nUpdateRegionRects += n; } - sraRgnReleaseIterator(i); + sraRgnReleaseIterator(i); i=NULL; #endif #endif } else { @@ -2806,6 +2806,10 @@ rfbSendFramebufferUpdate(rfbClientPtr cl, #endif } } + if (i) { + sraRgnReleaseIterator(i); + i = NULL; + } if ( nUpdateRegionRects == 0xFFFF && !rfbSendLastRectMarker(cl) )