From: Keir Fraser <keir.fraser@citrix.com>
Date: Thu, 6 Dec 2007 16:34:56 +0000 (+0000)
Subject: pvfb: PVFB SDL backend chokes on bogus screen updates
X-Git-Tag: 3.1.3-rc1~98
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=b5e18e946fc8c85a58212b6736cd57bb7820852e;p=people%2Fvhanquez%2Fxen.git

pvfb: PVFB SDL backend chokes on bogus screen updates

Bogus screen update requests from buggy or malicous frontend make SDL
crash.  The VNC backend silently ignores them.  Catch and log them.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
xen-unstable changeset:   16386:614dad9f8fdcda21b5e0083cce3320b17bfcefdd
xen-unstable date:        Fri Nov 16 16:53:43 2007 +0000
---

diff --git a/tools/xenfb/xenfb.c b/tools/xenfb/xenfb.c
index eb46de1c9..e48493765 100644
--- a/tools/xenfb/xenfb.c
+++ b/tools/xenfb/xenfb.c
@@ -21,6 +21,13 @@
 
 #include "xenfb.h"
 
+#ifndef MIN
+#define MIN(a, b) (((a) < (b)) ? (a) : (b))
+#endif
+#ifndef MAX
+#define MAX(a, b) (((a) > (b)) ? (a) : (b))
+#endif
+
 // FIXME defend against malicious frontend?
 
 struct xenfb_device {
@@ -617,6 +624,7 @@ static void xenfb_on_fb_event(struct xenfb_private *xenfb)
 {
 	uint32_t prod, cons;
 	struct xenfb_page *page = xenfb->fb.page;
+	int x, y, w, h;
 
 	prod = page->out_prod;
 	if (prod == page->out_cons)
@@ -627,10 +635,28 @@ static void xenfb_on_fb_event(struct xenfb_private *xenfb)
 
 		switch (event->type) {
 		case XENFB_TYPE_UPDATE:
-                    if (xenfb->pub.update)
+			if (!xenfb->pub.update)
+				break;
+			x = MAX(event->update.x, 0);
+			y = MAX(event->update.y, 0);
+			w = MIN(event->update.width, xenfb->pub.width - x);
+			h = MIN(event->update.height, xenfb->pub.height - y);
+			if (w < 0 || h < 0) {
+				fprintf(stderr, "%s bogus update ignored\n",
+					xenfb->fb.nodename);
+				break;
+			}
+			if (x != event->update.x || y != event->update.y
+			    || w != event->update.width
+			    || h != event->update.height) {
+				fprintf(stderr, "%s bogus update clipped\n",
+					xenfb->fb.nodename);
+				break;
+			}
 			xenfb->pub.update(&xenfb->pub,
 					  event->update.x, event->update.y,
-					  event->update.width, event->update.height);
+					  event->update.width,
+					  event->update.height);
                     break;
 		}
 	}