[gnome-remote-desktop/gnome-42] rdp-gfx-surface: Delete GFX surface before clearing its members

[Jonas Ådahl <jadahl src gnome org>]

commit adf134b6c8692e65fc41bc304b5894810a138f01
Author: Pascal Nowack <Pascal Nowack gmx de>
Date:   Wed Jul 6 07:49:24 2022 +0200

    rdp-gfx-surface: Delete GFX surface before clearing its members
    
    When clearing a GFX surface, the graphics pipeline currently first
    clears its members, which are, if they exist, the render surface and
    the frame controller, and then deletes the GFX surface itself.
    This has currently the effect, that when the client sends a frame
    acknowledgement for a frame, that was rendered on a GFX surface, that
    is about to be cleared, that the respective frame controller is used,
    while it is in the process of being deleted leading to a crash, where a
    NULL pointer is dereferenced.
    The reason for this situation is that for each surface, a surface
    context is created, which also contains a pointer to the GFX surface.
    This is necessary to be able to map frame ids to surfaces at any time,
    even when the respective surface is already deleted.
    When clearing a surface, it is first removed from the surface table,
    while the GFX mutex is locked, and then actually deleted, where the GFX
    mutex has to be unlocked first, to not lock it again.
    In this process of unlocking the GFX mutex and locking it again a frame
    acknowledgement can happen, and in this situation, the frame controller
    might be in the process of deletion, leading to a NULL pointer
    dereference, where the frame controller or one of its members is being
    looked up.
    
    To fix this issue, simply delete the GFX surface first. This also
    clears the pointer to the GFX surface in the surface context.
    The other members of the GFX surface can afterwards be cleared without
    any problems.
    
    https://errors.ubuntu.com/problem/ecf34bd0b58c72cf2d1f03ba4222b71cc62e0d83

 src/grd-rdp-gfx-surface.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/src/grd-rdp-gfx-surface.c b/src/grd-rdp-gfx-surface.c
index edd38846..6a2cc56c 100644
--- a/src/grd-rdp-gfx-surface.c
+++ b/src/grd-rdp-gfx-surface.c
@@ -162,9 +162,6 @@ grd_rdp_gfx_surface_dispose (GObject *object)
 {
   GrdRdpGfxSurface *gfx_surface = GRD_RDP_GFX_SURFACE (object);
 
-  g_clear_object (&gfx_surface->frame_controller);
-  g_clear_object (&gfx_surface->render_surface);
-
   if (gfx_surface->created)
     {
       grd_rdp_graphics_pipeline_delete_surface (gfx_surface->graphics_pipeline,
@@ -172,6 +169,9 @@ grd_rdp_gfx_surface_dispose (GObject *object)
       gfx_surface->created = FALSE;
     }
 
+  g_clear_object (&gfx_surface->frame_controller);
+  g_clear_object (&gfx_surface->render_surface);
+
   G_OBJECT_CLASS (grd_rdp_gfx_surface_parent_class)->dispose (object);
 }