[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus screen updates
Bogus screen update requests from buggy or malicous frontend make SDL crash. The VNC backend silently ignores them. Catch and log them. Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx> diff -r 837f83225153 tools/ioemu/hw/xenfb.c --- a/tools/ioemu/hw/xenfb.c Fri Nov 09 12:08:37 2007 +0000 +++ b/tools/ioemu/hw/xenfb.c Tue Nov 13 17:30:22 2007 +0100 @@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen rmb(); /* ensure we see ring contents up to prod */ for (cons = page->out_cons; cons != prod; cons++) { union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); + int x, y, w, h; switch (event->type) { case XENFB_TYPE_UPDATE: - xenfb_guest_copy(xenfb, - event->update.x, event->update.y, - event->update.width, event->update.height); + x = MAX(event->update.x, 0); + y = MAX(event->update.y, 0); + w = MIN(event->update.width, xenfb->width - x); + h = MIN(event->update.height, xenfb->height - y); + if (w < 0 || h < 0) { + fprintf(stderr, "%s bogus update ignored\n", + xenfb->fb.nodename); + break; + } + if (x != event->update.x || y != event->update.y + || w != event->update.width + || h != event->update.height) { + fprintf(stderr, "%s bogus update clipped\n", + xenfb->fb.nodename); + break; + } + xenfb_guest_copy(xenfb, x, y, w, h); break; } } _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |