ia64/xen-unstable

changeset 16386:614dad9f8fdc

pvfb: PVFB SDL backend chokes on bogus screen updates

Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri Nov 16 16:53:43 2007 +0000 (2007-11-16)
parents 1ad85cdcca3d
children 03d6d0f96e12
files tools/ioemu/hw/xenfb.c
line diff
     1.1 --- a/tools/ioemu/hw/xenfb.c	Fri Nov 16 16:43:57 2007 +0000
     1.2 +++ b/tools/ioemu/hw/xenfb.c	Fri Nov 16 16:53:43 2007 +0000
     1.3 @@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen
     1.4  	rmb();			/* ensure we see ring contents up to prod */
     1.5  	for (cons = page->out_cons; cons != prod; cons++) {
     1.6  		union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
     1.7 +		int x, y, w, h;
     1.8  
     1.9  		switch (event->type) {
    1.10  		case XENFB_TYPE_UPDATE:
    1.11 -			xenfb_guest_copy(xenfb,
    1.12 -					 event->update.x, event->update.y,
    1.13 -					 event->update.width, event->update.height);
    1.14 +			x = MAX(event->update.x, 0);
    1.15 +			y = MAX(event->update.y, 0);
    1.16 +			w = MIN(event->update.width, xenfb->width - x);
    1.17 +			h = MIN(event->update.height, xenfb->height - y);
    1.18 +			if (w < 0 || h < 0) {
    1.19 +				fprintf(stderr, "%s bogus update ignored\n",
    1.20 +					xenfb->fb.nodename);
    1.21 +				break;
    1.22 +			}
    1.23 +			if (x != event->update.x || y != event->update.y
    1.24 +			    || w != event->update.width
    1.25 +			    || h != event->update.height) {
    1.26 +				fprintf(stderr, "%s bogus update clipped\n",
    1.27 +					xenfb->fb.nodename);
    1.28 +				break;
    1.29 +			}
    1.30 +			xenfb_guest_copy(xenfb, x, y, w, h);
    1.31  			break;
    1.32  		}
    1.33  	}