On Tue, Mar 17, 2026 at 12:50:15PM +0400, Marc-André Lureau wrote:
> When a VncJob is freed, its associated VncRectEntry list must also be
> freed. Previously, vnc_job_push() and the disconnected path in
> vnc_worker_thread_loop() called g_free(job) directly, leaking all
> VncRectEntry allocations.
>
> Introduce vnc_job_free() which iterates and frees the rectangle entries
> before freeing the job itself, and use it in both paths.
>
> Also add QLIST_REMOVE() in the worker loop before g_free(entry), so
> that entries processed during normal operation are properly unlinked.
> Without this, vnc_job_free() would iterate dangling pointers to
> already-freed entries, causing use-after-free.
>
> Fixes: bd023f953e5e ("vnc: threaded VNC server")
... Oppps ... Wed Jul 7 2010
> Signed-off-by: Marc-André Lureau <[email protected]>
> ---
> ui/vnc-jobs.c | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
Reviewed-by: Daniel P. Berrangé <[email protected]>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
