|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen-unstable] pvfb: PVFB SDL backend chokes on bogus screen updates
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1195232023 0
# Node ID 614dad9f8fdcda21b5e0083cce3320b17bfcefdd
# Parent 1ad85cdcca3d99130ce3a74ab3203a3f14c25858
pvfb: PVFB SDL backend chokes on bogus screen updates
Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.
Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
---
tools/ioemu/hw/xenfb.c | 21 ++++++++++++++++++---
1 files changed, 18 insertions(+), 3 deletions(-)
diff -r 1ad85cdcca3d -r 614dad9f8fdc tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c Fri Nov 16 16:43:57 2007 +0000
+++ b/tools/ioemu/hw/xenfb.c Fri Nov 16 16:53:43 2007 +0000
@@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen
rmb(); /* ensure we see ring contents up to prod */
for (cons = page->out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ int x, y, w, h;
switch (event->type) {
case XENFB_TYPE_UPDATE:
- xenfb_guest_copy(xenfb,
- event->update.x, event->update.y,
- event->update.width,
event->update.height);
+ x = MAX(event->update.x, 0);
+ y = MAX(event->update.y, 0);
+ w = MIN(event->update.width, xenfb->width - x);
+ h = MIN(event->update.height, xenfb->height - y);
+ if (w < 0 || h < 0) {
+ fprintf(stderr, "%s bogus update ignored\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ if (x != event->update.x || y != event->update.y
+ || w != event->update.width
+ || h != event->update.height) {
+ fprintf(stderr, "%s bogus update clipped\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ xenfb_guest_copy(xenfb, x, y, w, h);
break;
}
}
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |