From: Armin Novak <armin.novak@thincast.com>
Date: Wed, 19 Apr 2017 12:43:06 +0000 (+0200)
Subject: Fixed use after free of region.
X-Git-Tag: 2.0.0-rc0~43^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=614d5f0a8eaa9437a78f1a7f8f079646115a1020;p=platform%2Fupstream%2Ffreerdp.git

Fixed use after free of region.
---

diff --git a/libfreerdp/gdi/gfx.c b/libfreerdp/gdi/gfx.c
index 3f3d975..c3323b9 100644
--- a/libfreerdp/gdi/gfx.c
+++ b/libfreerdp/gdi/gfx.c
@@ -233,6 +233,8 @@ static UINT gdi_SurfaceCommand_Uncompressed(rdpGdi* gdi,
 	region16_union_rect(&(surface->invalidRegion), &(surface->invalidRegion),
 	                    &invalidRect);
 
+	IFCALL(context->UpdateSurfaceArea, context, surface->surfaceId, 1, &invalidRect);
+
 	if (!gdi->inGfxFrame)
 	{
 		status = CHANNEL_RC_NOT_INITIALIZED;
@@ -278,11 +280,12 @@ static UINT gdi_SurfaceCommand_RemoteFX(rdpGdi* gdi,
 	}
 
 	rects = region16_rects(&invalidRegion, &nrRects);
-	region16_uninit(&invalidRegion);
 	IFCALL(context->UpdateSurfaceArea, context, surface->surfaceId, nrRects, rects);
 
 	for (x=0; x<nrRects; x++)
 		region16_union_rect(&surface->invalidRegion, &surface->invalidRegion, &rects[x]);
+
+	region16_uninit(&invalidRegion);
 	if (!gdi->inGfxFrame)
 	{
 		status = CHANNEL_RC_NOT_INITIALIZED;
@@ -331,6 +334,7 @@ static UINT gdi_SurfaceCommand_ClearCodec(rdpGdi* gdi,
 	invalidRect.bottom = cmd->bottom;
 	region16_union_rect(&(surface->invalidRegion), &(surface->invalidRegion),
 	                    &invalidRect);
+
 	IFCALL(context->UpdateSurfaceArea, context, surface->surfaceId, 1, &invalidRect);
 
 	if (!gdi->inGfxFrame)
@@ -377,6 +381,7 @@ static UINT gdi_SurfaceCommand_Planar(rdpGdi* gdi, RdpgfxClientContext* context,
 	invalidRect.bottom = cmd->bottom;
 	region16_union_rect(&(surface->invalidRegion), &(surface->invalidRegion),
 	                    &invalidRect);
+
 	IFCALL(context->UpdateSurfaceArea, context, surface->surfaceId, 1, &invalidRect);
 
 	if (!gdi->inGfxFrame)
@@ -560,6 +565,7 @@ static UINT gdi_SurfaceCommand_Alpha(rdpGdi* gdi, RdpgfxClientContext* context,
 	                    &invalidRect);
 
 	IFCALL(context->UpdateSurfaceArea, context, surface->surfaceId, 1, &invalidRect);
+
 	if (!gdi->inGfxFrame)
 	{
 		status = CHANNEL_RC_NOT_INITIALIZED;
@@ -620,12 +626,13 @@ static UINT gdi_SurfaceCommand_Progressive(rdpGdi* gdi,
 		region16_uninit(&invalidRegion);
 		return ERROR_INTERNAL_ERROR;
 	}
+
 	rects = region16_rects(&invalidRegion, &nrRects);
-	region16_uninit(&invalidRegion);
 	IFCALL(context->UpdateSurfaceArea, context, surface->surfaceId, nrRects, rects);
 
 	for (x=0; x<nrRects; x++)
 		region16_union_rect(&surface->invalidRegion, &surface->invalidRegion, &rects[x]);
+	region16_uninit(&invalidRegion);
 
 	if (!gdi->inGfxFrame)
 	{