debuggers.hg
changeset 16424:614dad9f8fdc
pvfb: PVFB SDL backend chokes on bogus screen updates
Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
| author | Keir Fraser <keir.fraser@citrix.com> |
|---|---|
| date | Fri Nov 16 16:53:43 2007 +0000 (2007-11-16) |
| parents | 1ad85cdcca3d |
| children | 03d6d0f96e12 |
| files | tools/ioemu/hw/xenfb.c |
line diff
1.1 --- a/tools/ioemu/hw/xenfb.c Fri Nov 16 16:43:57 2007 +0000 1.2 +++ b/tools/ioemu/hw/xenfb.c Fri Nov 16 16:53:43 2007 +0000 1.3 @@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen 1.4 rmb(); /* ensure we see ring contents up to prod */ 1.5 for (cons = page->out_cons; cons != prod; cons++) { 1.6 union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); 1.7 + int x, y, w, h; 1.8 1.9 switch (event->type) { 1.10 case XENFB_TYPE_UPDATE: 1.11 - xenfb_guest_copy(xenfb, 1.12 - event->update.x, event->update.y, 1.13 - event->update.width, event->update.height); 1.14 + x = MAX(event->update.x, 0); 1.15 + y = MAX(event->update.y, 0); 1.16 + w = MIN(event->update.width, xenfb->width - x); 1.17 + h = MIN(event->update.height, xenfb->height - y); 1.18 + if (w < 0 || h < 0) { 1.19 + fprintf(stderr, "%s bogus update ignored\n", 1.20 + xenfb->fb.nodename); 1.21 + break; 1.22 + } 1.23 + if (x != event->update.x || y != event->update.y 1.24 + || w != event->update.width 1.25 + || h != event->update.height) { 1.26 + fprintf(stderr, "%s bogus update clipped\n", 1.27 + xenfb->fb.nodename); 1.28 + break; 1.29 + } 1.30 + xenfb_guest_copy(xenfb, x, y, w, h); 1.31 break; 1.32 } 1.33 }