]> xenbits.xensource.com Git - xen.git/commitdiff
projects / xen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e4d4fa0)
pvfb: PVFB SDL backend chokes on bogus screen updates
authorKeir Fraser <keir.fraser@citrix.com>
Fri, 16 Nov 2007 16:53:43 +0000 (16:53 +0000)
committerKeir Fraser <keir.fraser@citrix.com>
Fri, 16 Nov 2007 16:53:43 +0000 (16:53 +0000)
Bogus screen update requests from buggy or malicous frontend make SDL
crash.  The VNC backend silently ignores them.  Catch and log them.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
tools/ioemu/hw/xenfb.c patch | blob | blame | history

diff --git a/tools/ioemu/hw/xenfb.c b/tools/ioemu/hw/xenfb.c
index a36caae7a2d32c0f869e717603243dbdbc4f87a1..f3ee4b2d0221f0bf98072b9da0cceb67c16e2f65 100644 (file)
--- a/tools/ioemu/hw/xenfb.c
+++ b/tools/ioemu/hw/xenfb.c
@@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xenfb *xenfb)
        rmb();                  /* ensure we see ring contents up to prod */
        for (cons = page->out_cons; cons != prod; cons++) {
                union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+               int x, y, w, h;
 
                switch (event->type) {
                case XENFB_TYPE_UPDATE:
-                       xenfb_guest_copy(xenfb,
-                                        event->update.x, event->update.y,
-                                        event->update.width, event->update.height);
+                       x = MAX(event->update.x, 0);
+                       y = MAX(event->update.y, 0);
+                       w = MIN(event->update.width, xenfb->width - x);
+                       h = MIN(event->update.height, xenfb->height - y);
+                       if (w < 0 || h < 0) {
+                               fprintf(stderr, "%s bogus update ignored\n",
+                                       xenfb->fb.nodename);
+                               break;
+                       }
+                       if (x != event->update.x || y != event->update.y
+                           || w != event->update.width
+                           || h != event->update.height) {
+                               fprintf(stderr, "%s bogus update clipped\n",
+                                       xenfb->fb.nodename);
+                               break;
+                       }
+                       xenfb_guest_copy(xenfb, x, y, w, h);
                        break;
                }
        }
Xen (staging and unstable) mirror