 Home |
Products |
Support |
Community |
News |
xen-devel
[Xen-devel] [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus sc
| To: | <xen-devel@xxxxxxxxxxxxxxxxxxx> |
|---|---|
| Subject: | [Xen-devel] [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus screen updates |
| From: | Markus Armbruster <armbru@xxxxxxxxxx> |
| Date: | Tue, 13 Nov 2007 17:44:30 +0100 |
| Delivery-date: | Tue, 13 Nov 2007 08:45:20 -0800 |
| Envelope-to: | www-data@xxxxxxxxxxxxxxxxxx |
| In-reply-to: | <871waurt8t.fsf@xxxxxxxxxxxxxxxxx> (Markus Armbruster's message of "Tue\, 13 Nov 2007 17\:43\:30 +0100") |
| List-help: | <mailto:xen-devel-request@lists.xensource.com?subject=help> |
| List-id: | Xen developer discussion <xen-devel.lists.xensource.com> |
| List-post: | <mailto:xen-devel@lists.xensource.com> |
| List-subscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe> |
| List-unsubscribe: | <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe> |
| References: | <871waurt8t.fsf@xxxxxxxxxxxxxxxxx> |
| Sender: | xen-devel-bounces@xxxxxxxxxxxxxxxxxxx |
| User-agent: | Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) |
Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.
Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
diff -r 837f83225153 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c Fri Nov 09 12:08:37 2007 +0000
+++ b/tools/ioemu/hw/xenfb.c Tue Nov 13 17:30:22 2007 +0100
@@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen
rmb(); /* ensure we see ring contents up to prod */
for (cons = page->out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ int x, y, w, h;
switch (event->type) {
case XENFB_TYPE_UPDATE:
- xenfb_guest_copy(xenfb,
- event->update.x, event->update.y,
- event->update.width,
event->update.height);
+ x = MAX(event->update.x, 0);
+ y = MAX(event->update.y, 0);
+ w = MIN(event->update.width, xenfb->width - x);
+ h = MIN(event->update.height, xenfb->height - y);
+ if (w < 0 || h < 0) {
+ fprintf(stderr, "%s bogus update ignored\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ if (x != event->update.x || y != event->update.y
+ || w != event->update.width
+ || h != event->update.height) {
+ fprintf(stderr, "%s bogus update clipped\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ xenfb_guest_copy(xenfb, x, y, w, h);
break;
}
}
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | [Xen-devel] [PATCH 1/2][PVFB][TOOLS] PVFB frontend can send bogus screen updates, Markus Armbruster |
|---|---|
| Next by Date: | Re: [Xen-devel] [PATCH] grant table and bogus mfns, Keir Fraser |
| Previous by Thread: | [Xen-devel] [PATCH 1/2][PVFB][TOOLS] PVFB frontend can send bogus screen updates, Markus Armbruster |
| Next by Thread: | [Xen-devel] xend crash for freeing invalid pointer in python, Guillaume Rousse |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
