sdl2-compat: Fixed double-free when a surface is RLE encoded

From b4cb916f6321a6ed90465e0e56e17b3678510a69 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <[EMAIL REDACTED]>
Date: Sun, 2 Feb 2025 09:20:07 -0800
Subject: [PATCH] Fixed double-free when a surface is RLE encoded

---
 src/sdl2_compat.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/sdl2_compat.c b/src/sdl2_compat.c
index 69df06a..92f7c21 100644
--- a/src/sdl2_compat.c
+++ b/src/sdl2_compat.c
@@ -2787,7 +2787,16 @@ static SDL2_Surface *Surface3to2(SDL_Surface *surface)
 
     if (surface) {
         surface2 = (SDL2_Surface *)SDL3_GetPointerProperty(SDL3_GetSurfaceProperties(surface), PROP_SURFACE2, NULL);
-        if (!surface2) {
+        if (surface2) {
+            /* Synchronize any changes made by SDL to the SDL3 surface
+             * SDL might have changed flags or freed the pixels, e.g.:
+             * https://github.com/libsdl-org/SDL/blob/be991239d9bc6df06b0ca7a9ae9dbb7251e93c12/src/video/SDL_RLEaccel.c#L1180-L1189
+             */
+            surface2->flags &= ~(surface->flags & SHARED_SURFACE_FLAGS);
+            surface2->flags |= (surface->flags & SHARED_SURFACE_FLAGS);
+            surface2->pixels = surface->pixels;
+            surface2->pitch = surface->pitch;
+        } else {
             surface2 = CreateSurface2from3(surface);
         }
     }