|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 2/2][PVFB][TOOLS] PVFB SDL backend chokes on bogus screen updates
Bogus screen update requests from buggy or malicous frontend make SDL
crash. The VNC backend silently ignores them. Catch and log them.
Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
diff -r 837f83225153 tools/ioemu/hw/xenfb.c
--- a/tools/ioemu/hw/xenfb.c Fri Nov 09 12:08:37 2007 +0000
+++ b/tools/ioemu/hw/xenfb.c Tue Nov 13 17:30:22 2007 +0100
@@ -488,12 +488,27 @@ static void xenfb_on_fb_event(struct xen
rmb(); /* ensure we see ring contents up to prod */
for (cons = page->out_cons; cons != prod; cons++) {
union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
+ int x, y, w, h;
switch (event->type) {
case XENFB_TYPE_UPDATE:
- xenfb_guest_copy(xenfb,
- event->update.x, event->update.y,
- event->update.width,
event->update.height);
+ x = MAX(event->update.x, 0);
+ y = MAX(event->update.y, 0);
+ w = MIN(event->update.width, xenfb->width - x);
+ h = MIN(event->update.height, xenfb->height - y);
+ if (w < 0 || h < 0) {
+ fprintf(stderr, "%s bogus update ignored\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ if (x != event->update.x || y != event->update.y
+ || w != event->update.width
+ || h != event->update.height) {
+ fprintf(stderr, "%s bogus update clipped\n",
+ xenfb->fb.nodename);
+ break;
+ }
+ xenfb_guest_copy(xenfb, x, y, w, h);
break;
}
}
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |