From 96e163bdae65aa2c68e4301cf9ebe29e9f53f3d9 Mon Sep 17 00:00:00 2001
From: Quentin BUATHIER <qbuathier@tetrane.com>
Date: Wed, 8 Aug 2018 16:14:39 +0200
Subject: [PATCH] Fix use-after-free

---
 libvncserver/main.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

--- a/libvncserver/main.c
+++ b/libvncserver/main.c
@@ -1064,15 +1064,21 @@
 
 void rfbShutdownServer(rfbScreenInfoPtr screen,rfbBool disconnectClients) {
   if(disconnectClients) {
-    rfbClientPtr cl;
     rfbClientIteratorPtr iter = rfbGetClientIterator(screen);
-    while( (cl = rfbClientIteratorNext(iter)) ) {
-      if (cl->sock > -1) {
-       /* we don't care about maxfd here, because the server goes away */
-       rfbCloseClient(cl);
-       rfbClientConnectionGone(cl);
+    rfbClientPtr nextCl, currentCl = rfbClientIteratorNext(iter);
+
+    while(currentCl) {
+      nextCl = rfbClientIteratorNext(iter);
+      if (currentCl->sock > -1) {
+        /* we don't care about maxfd here, because the server goes away */
+        rfbCloseClient(currentCl);
       }
+
+      rfbClientConnectionGone(currentCl);
+
+      currentCl = nextCl;
     }
+
     rfbReleaseClientIterator(iter);
   }