From 809df89c0869e6c595c19ef6b4b1d2cbfab802ff Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Mon, 3 Jun 2024 15:50:16 +0100
Subject: [PATCH] Prevent SEGV when resizing with GFX

The xrdp_enc_data contains a union for handling surface commands
and gfx commands. Memory processing is different for these two
options.

The default destructor for the encoder FIFO only knows about surface
commands. Consequently, if the encoder has queued GFX data when the
encoder is closed, the destructor processes the queued data as if
it contained surface commands rather than GFX commands. This typically
causes a SEGV as the drects field of the overlaid surface command
structure is not pointing at anything valid when it is freed.
---
 xrdp/xrdp_encoder.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/xrdp/xrdp_encoder.c b/xrdp/xrdp_encoder.c
index 2f077b5c..ad4aaeb5 100644
--- a/xrdp/xrdp_encoder.c
+++ b/xrdp/xrdp_encoder.c
@@ -88,8 +88,15 @@ static void
 xrdp_enc_data_destructor(void *item, void *closure)
 {
     XRDP_ENC_DATA *enc = (XRDP_ENC_DATA *)item;
-    g_free(enc->u.sc.drects);
-    g_free(enc->u.sc.crects);
+    if (ENC_IS_BIT_SET(enc->flags, ENC_FLAGS_GFX_BIT))
+    {
+        g_free(enc->u.gfx.cmd);
+    }
+    else
+    {
+        g_free(enc->u.sc.drects);
+        g_free(enc->u.sc.crects);
+    }
     g_free(enc);
 }