Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_tigervnc / ea69c99c082579d9c8572a06afb9dbcf4ca1cac6^1..ea69c99c082579d9c8572a06afb9dbcf4ca1cac6 / .
commitea69c99c082579d9c8572a06afb9dbcf4ca1cac6[log] [tgz]
authorPierre Ossman <ossman@cendio.se>Wed Mar 29 11:09:49 2017 +0200
committerPierre Ossman <ossman@cendio.se>Wed Mar 29 11:09:49 2017 +0200
tree0b55389fe087efea5616426ff5e03ecbd8b9b410
parent8e5a29e4b2dc8a55f6ec89d0278fc66367a35cbb [diff]
parentdccb5f7d776e93863ae10bbff56a45c523c6eeb0 [diff]
parentf3afa24da144409a3c3a0e35913112583d987671 [diff]
Merge branches 'fix' and 'fix-double-free-fences' of https://github.com/michalsrb/tigervnc

diff --git a/common/rfb/CConnection.cxx b/common/rfb/CConnection.cxx
index 2020418..88befd5 100644
--- a/common/rfb/CConnection.cxx
+++ b/common/rfb/CConnection.cxx

@@ -44,7 +44,6 @@
     state_(RFBSTATE_UNINITIALISED), useProtocol3_3(false),
     framebuffer(NULL), decoder(this)
 {
-  security = new SecurityClient();
 }
 
 CConnection::~CConnection()
@@ -167,7 +166,7 @@
   int secType = secTypeInvalid;
 
   std::list<rdr::U8> secTypes;
-  secTypes = security->GetEnabledSecTypes();
+  secTypes = security.GetEnabledSecTypes();
 
   if (cp.isVersion(3,3)) {
 
@@ -235,7 +234,7 @@
   }
 
   state_ = RFBSTATE_SECURITY;
-  csecurity = security->GetCSecurity(secType);
+  csecurity = security.GetCSecurity(secType);
   processSecurityMsg();
 }
 

diff --git a/common/rfb/CConnection.h b/common/rfb/CConnection.h
index 799a9c2..e0a000f 100644
--- a/common/rfb/CConnection.h
+++ b/common/rfb/CConnection.h

@@ -26,6 +26,7 @@
 
 #include <rfb/CMsgHandler.h>
 #include <rfb/DecodeManager.h>
+#include <rfb/SecurityClient.h>
 #include <rfb/util.h>
 
 namespace rfb {
@@ -34,7 +35,6 @@
   class CMsgWriter;
   class CSecurity;
   class IdentityVerifier;
-  class SecurityClient;
 
   class CConnection : public CMsgHandler {
   public:
@@ -148,7 +148,7 @@
     stateEnum state() { return state_; }
 
     CSecurity *csecurity;
-    SecurityClient *security;
+    SecurityClient security;
   protected:
     void setState(stateEnum s) { state_ = s; }
 

diff --git a/common/rfb/SConnection.cxx b/common/rfb/SConnection.cxx
index 17ef4d9..85cc6e8 100644
--- a/common/rfb/SConnection.cxx
+++ b/common/rfb/SConnection.cxx

@@ -51,7 +51,7 @@
 SConnection::SConnection()
   : readyForSetColourMapEntries(false),
     is(0), os(0), reader_(0), writer_(0),
-    security(0), ssecurity(0), state_(RFBSTATE_UNINITIALISED),
+    ssecurity(0), state_(RFBSTATE_UNINITIALISED),
     preferredEncoding(encodingRaw)
 {
   defaultMajorVersion = 3;
@@ -60,8 +60,6 @@
     defaultMinorVersion = 3;
 
   cp.setVersion(defaultMajorVersion, defaultMinorVersion);
-
-  security = new SecurityServer();
 }
 
 SConnection::~SConnection()
@@ -142,7 +140,7 @@
 
   std::list<rdr::U8> secTypes;
   std::list<rdr::U8>::iterator i;
-  secTypes = security->GetEnabledSecTypes();
+  secTypes = security.GetEnabledSecTypes();
 
   if (cp.isVersion(3,3)) {
 
@@ -161,7 +159,7 @@
     os->writeU32(*i);
     if (*i == secTypeNone) os->flush();
     state_ = RFBSTATE_SECURITY;
-    ssecurity = security->GetSSecurity(*i);
+    ssecurity = security.GetSSecurity(*i);
     processSecurityMsg();
     return;
   }
@@ -193,7 +191,7 @@
   std::list<rdr::U8> secTypes;
   std::list<rdr::U8>::iterator i;
 
-  secTypes = security->GetEnabledSecTypes();
+  secTypes = security.GetEnabledSecTypes();
   for (i=secTypes.begin(); i!=secTypes.end(); i++)
     if (*i == secType) break;
   if (i == secTypes.end())
@@ -204,7 +202,7 @@
 
   try {
     state_ = RFBSTATE_SECURITY;
-    ssecurity = security->GetSSecurity(secType);
+    ssecurity = security.GetSSecurity(secType);
   } catch (rdr::Exception& e) {
     throwConnFailedException(e.str());
   }

diff --git a/common/rfb/SConnection.h b/common/rfb/SConnection.h
index b43cf08..63dc314 100644
--- a/common/rfb/SConnection.h
+++ b/common/rfb/SConnection.h

@@ -196,7 +196,7 @@
     rdr::OutStream* os;
     SMsgReader* reader_;
     SMsgWriter* writer_;
-    SecurityServer *security;
+    SecurityServer security;
     SSecurity* ssecurity;
     stateEnum state_;
     rdr::S32 preferredEncoding;

diff --git a/common/rfb/SMsgReader.cxx b/common/rfb/SMsgReader.cxx
index 89c9a8f..3c08fd6 100644
--- a/common/rfb/SMsgReader.cxx
+++ b/common/rfb/SMsgReader.cxx

@@ -200,6 +200,9 @@
 {
   is->skip(3);
   int len = is->readU32();
+  if (len < 0) {
+    throw Exception("Cut text too long.");
+  }
   if (len > maxCutText) {
     is->skip(len);
     vlog.error("Cut text too long (%d bytes) - ignoring", len);

diff --git a/common/rfb/SMsgWriter.cxx b/common/rfb/SMsgWriter.cxx
index cf3264e..bc3f439 100644
--- a/common/rfb/SMsgWriter.cxx
+++ b/common/rfb/SMsgWriter.cxx

@@ -101,7 +101,9 @@
   os->writeU32(flags);
 
   os->writeU8(len);
-  os->writeBytes(data, len);
+
+  if (len > 0)
+    os->writeBytes(data, len);
 
   endMsg();
 }

diff --git a/common/rfb/VNCSConnectionST.cxx b/common/rfb/VNCSConnectionST.cxx
index 0a2ca33..d2206f9 100644
--- a/common/rfb/VNCSConnectionST.cxx
+++ b/common/rfb/VNCSConnectionST.cxx

@@ -666,6 +666,7 @@
       fenceFlags = flags & (fenceFlagBlockBefore | fenceFlagBlockAfter | fenceFlagSyncNext);
       fenceDataLen = len;
       delete [] fenceData;
+      fenceData = NULL;
       if (len > 0) {
         fenceData = new char[len];
         memcpy(fenceData, data, len);